Hey; When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration. When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter. Is there a way to force openssh to honor these settings like it does for local accounts?

Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6. Any help greatly appreciated. Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html

>> Doug OLeary <dkoleary(a)olearycomputers.com&gt; schrieb am 11.03.2014 um 01:05 in

Hey; When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration. When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.

Is there a way to force openssh to honor these settings like it does for local accounts?

Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6. Any help greatly appreciated. Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html

From: dkoleary(a)olearycomputers.com Subject: Re: Antw: open(ldap|ssh) interaction Date: Tue, 11 Mar 2014 09:05:28 -0500 To: Ulrich.Windl(a)rz.uni-regensburg.de CC: openldap-technical(a)openldap.org Hey; Thanks for the reply. > I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login). That's not a problem - that's the way it's supposed to work. An account shouldn't be able to circumvent password expiration requirements simply because its primary access method is ssh keys. There are any number of bad things that can happen as a result of that ability. I can think of three right off the top of my head. Short version: if an account has a password, it needs to change regularly. I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem. I already have questions opened w/the OS vendor. Thanks again for your reply. Doug O'Leary ------------------- Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html

I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem.