Doug OLeary dkoleary@olearycomputers.com schrieb am 11.03.2014 um 01:05 in
Nachricht alpine.LRH.2.03.1403101830130.16106@olearycomputers.com:
Hey;
When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the
security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.
When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.
I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).
Is there a way to force openssh to honor these settings like it does for local accounts?
I guess it's a question of PAM.
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.
Any help greatly appreciated.
Doug O'Leary
Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html