On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote: > On 07/20/2012 03:03 PM, Joe Linoff wrote: > When you set the password on the server using the ipa passwd command > you make it know to the admin. This is why it is right away expired > and requires a change. > A user needs to log in through the client that allows changing the > password as a part of the authentication. > It looks like your ssh is not configured to do password change (I > suspect it uses GSSAPI but I might be wrong). > So either the ssh needs to be configured to do the password change > over the pam stack or you need to login as this user and change his > password and then you will be able to ssh.
To clarify, what you need to do is make sure that the following options are set in /etc/ssh/sshd_config: UsePAM yes PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes ChallengeResponseAuthentication yes This should hopefully resolve the issue for you. Note: KerberosAuthentication is NOT the same as disabling the single-sign-on. That's done by GSSAPIAuthentication.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users