On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote:
> On 07/20/2012 03:03 PM, Joe Linoff wrote: 
> When you set the password on the server using the ipa passwd command
> you make it know to the admin. This is why it is right away expired
> and requires a change.
> A user needs to log in through the client that allows changing the
> password as a part of the authentication.
> It looks like your ssh is not configured to do password change (I
> suspect it uses GSSAPI but I might be wrong).
> So either the ssh needs to be configured to do the password change
> over the pam stack or you need to login as this user and change his
> password and then you will be able to ssh.

To clarify, what you need to do is make sure that the following options
are set in /etc/ssh/sshd_config:

UsePAM yes
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes

This should hopefully resolve the issue for you.

Note: KerberosAuthentication is NOT the same as disabling the
single-sign-on. That's done by GSSAPIAuthentication.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to