SSH 可处理过期的 Kerberos 密码

我已经设置了 SSH - 使用 kerberos V5 进行单点登录。当用户密码过期时，它会返回“警告：密码已过期。' 并允许用户登录！我甚至对上面的/etc/pam.d/password-auth内容进行了更改：pam_krb5.sopam_unix.so

认证堆栈：

auth        requisite     pam_krb5.so uid >= 500

#Google authentication configuration module
auth        [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth        requisite  pam_google_authenticator.so


auth        [success=1 default=ignore]  pam_unix.so nullok try_first_pass
auth        required      pam_deny.so
auth        requisite     pam_succeed_if.so uid >= 0 quiet

帐户堆栈：

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so uid >= 500
account required pam_permit.so

请建议任何更改以防止密码过期的用户登录。

日志 ：

日志

Jun 03 11:34:29 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: CLIENT KEY EXPIRED: [email protected] for krbtgt/[email protected], Password has expired
Jun 03 11:34:47 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: ISSUE: authtime 1464933887, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] –

/var/log/auth.log

/var/log/auth.log : /var/log/auth.log : pam_krb5[24516]: authentication succeeds for 'testyoga' ([email protected]) –