Thanks for the reply.
I'm not sure about OpenLDAP, but on HP-UX there was a problem if
a local user authenticated with SSH keys only: If the password (that was never used)
expired, ssh key login was denied. The user had to change his password (using non-key
That's not a problem - that's the way it's supposed to work. An account
shouldn't be able to circumvent password expiration requirements simply because its
primary access method is ssh keys. There are any number of bad things that can happen as
a result of that ability. I can think of three right off the top of my head. Short
version: if an account has a password, it needs to change regularly.
I'm figuring it's a pam configuration as well; however, since it's related to
ldap authentication, I'm hoping others in this group might have seen and fixed the
problem. I already have questions opened w/the OS vendor.
Thanks again for your reply.
Senior UNIX/Security Admin
CISSP, CISA, RHCSA, CEH
O'Leary Computers Inc
dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749