• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended
Linux

Hello,

 

I am using HP ZCentral Remote Boost Version 20.1.2.8161 on RHEL 7.9.

 

When an LDAP user (free IPA) with an expired password authenticates (using their expired password) via the HP ZCentral Remote Boost Receiver their session is still created.

 

My original /etc/pam.d/rgsender configuration is as follows:
auth        required    pam_nologin.so

auth        include      system-auth

account  include      password-auth

session  required    pam_permit.so

 

I've tried to adjust PAM settings, but every configuration that I've tried has either resulted in all LDAP users being denied (even if their password is not expired) or users with expired passwords still being able to establish a session.

4 REPLIES 4
HP Recommended

I am checking into your issue.  I have a RHEL 8.2 setup currently but also have a RHEL 7.9 HDD that I can put into my system.  We do have a userfilter.txt file that can be used to deny connections, but you cannot have Easy Login enabled.  Are you using Easy Login?  Are you saying that the Remote Boost connection is made, and the user is not being denied at the desktop login?  

 

Kelly

I am an HP employee.
HP Recommended

Hi Kelly,

 

That's not quite it, no.

 

The issue is that a user with expired credentials in freeIPA is still granted a session when connectibg to rgsender via rgreceiver. I believe the correct behavior is that the user with expired credentials should either fail to log in, or be prompted to change their password.

 

I'm happy to provide more information if you need it.

 

Thanks!

HP Recommended

Would love to get more info so I do the correct reproduction of your issues.  Let me get PM enabled for you so I can reach out for more details.

Kelly

I am an HP employee.
HP Recommended

Sounds good, thank you!

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.