Hey;
When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.
When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.
Is there a way to force openssh to honor these settings like it does for local accounts?
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.
Any help greatly appreciated.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Try using a filter in sssd.conf.
Something like
ldap_access_order = filter ldap_access_filter = (!(pwdAccountLockedTime=*))
-Mike
Date: Mon, 10 Mar 2014 19:05:21 -0500 From: dkoleary@olearycomputers.com To: openldap-technical@openldap.org Subject: open(ldap|ssh) interaction
Hey;
When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.
When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.
Is there a way to force openssh to honor these settings like it does for local accounts?
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.
Any help greatly appreciated.
Doug O'Leary
Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Doug OLeary wrote:
Hey;
When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.
When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.
Is there a way to force openssh to honor these settings like it does for local accounts?
If you want to know how to control OpenSSH settings, it seems to me you should ask on an OpenSSH mailing list.
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.
Any help greatly appreciated.
Doug O'Leary
Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Hey;
Thanks for the reply.
If you want to know how to control OpenSSH settings, it seems to me you should ask on an OpenSSH mailing list.
It's not an openssh setting other than *usePam yes*. It's *most* likely a pam setting either /etc/pam.d/sshd or in /etc/pam.d/system-auth.
Since ssh honors these settings for local accounts and even for ldap accounts without keys, it seems logical that someone in the ldap community would have faced this issue already.
Thanks again for the reply.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Doug OLeary dkoleary@olearycomputers.com schrieb am 11.03.2014 um 01:05 in
Nachricht alpine.LRH.2.03.1403101830130.16106@olearycomputers.com:
Hey;
When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the
security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.
When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.
I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).
Is there a way to force openssh to honor these settings like it does for local accounts?
I guess it's a question of PAM.
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.
Any help greatly appreciated.
Doug O'Leary
Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Hey;
Thanks for the reply.
I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).
That's not a problem - that's the way it's supposed to work. An account shouldn't be able to circumvent password expiration requirements simply because its primary access method is ssh keys. There are any number of bad things that can happen as a result of that ability. I can think of three right off the top of my head. Short version: if an account has a password, it needs to change regularly.
I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem. I already have questions opened w/the OS vendor.
Thanks again for your reply.
Doug O'Leary ------------------- Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Doug, did you not see my reply? Perhaps you're not using sssd but the sssd_ldap filter works for me.
-Mike
From: dkoleary@olearycomputers.com Subject: Re: Antw: open(ldap|ssh) interaction Date: Tue, 11 Mar 2014 09:05:28 -0500 To: Ulrich.Windl@rz.uni-regensburg.de CC: openldap-technical@openldap.org
Hey;
Thanks for the reply.
I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).
That's not a problem - that's the way it's supposed to work. An account shouldn't be able to circumvent password expiration requirements simply because its primary access method is ssh keys. There are any number of bad things that can happen as a result of that ability. I can think of three right off the top of my head. Short version: if an account has a password, it needs to change regularly.
I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem. I already have questions opened w/the OS vendor.
Thanks again for your reply.
Doug O'Leary
Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Hey, Mike;
Sorry for the delay in responding. Yes, I did see your answer. I didn't get a chance to try it out yet. Was hoping for after work this evening. While that'd work for my test env, it's not going to be a complete answer for my client as they're using rhel4 and 5 systems too. Fortunately, the rhel4 ones will be going away soon; but, there's still the rhel5.
I appreciate the response and tip. Apologies again for not responding.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
On Tue, 11 Mar 2014, Michael wrote:
Doug, did you not see my reply? Perhaps you're not using sssd but the sssd_ldap filter works for me.
-Mike
I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem.
I think you might be on the right track: did you configure both PAM authentication and account modules to use LDAP PAM libraries? If not, you should.
Best regards – Miroslaw Baran
openldap-technical@openldap.org
-
dkoleary -
Doug OLeary
-
Howard Chu -
Michael -
Miroslaw Baran -
Ulrich Windl