DSEE Notes - Revision history

Hutch: /* Why does my SSH public key work when my account is locked? */

Hutch — Thu, 13 Dec 2007 22:16:35 GMT

Why does my SSH public key work when my account is locked?

←Older revision		Revision as of 22:16, 13 December 2007
Line 55:		Line 55:
	My guess is that because DSEE doesn't change ''userPassword'' to ''LK'' when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.		My guess is that because DSEE doesn't change ''userPassword'' to ''LK'' when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.

-	The only way I can think of to disable this is to ~~set~~ '''PubkeyAuthentication no''' (SSH protocol 2) and '''RSAAuthentication no''' (if you allow SSH protocol 1) in ''sshd_config''~~, although this is is~~ a ~~step~~ backward security-wise ~~(i.e.~~, ~~using~~ one-factor authentication instead of two).	+	The only way I can think of to disable this behavior is to require password authentication by setting '''PubkeyAuthentication no''' (SSH protocol 2) and '''RSAAuthentication no''' (if you allow SSH protocol 1) in ''sshd_config''. This would be a backward security-wise, as you would use one-factor authentication instead of two.

Hutch: /* Why does my SSH public key work when my account is locked? */

Hutch — Thu, 13 Dec 2007 22:14:35 GMT

Why does my SSH public key work when my account is locked?

←Older revision		Revision as of 22:14, 13 December 2007
Line 55:		Line 55:
	My guess is that because DSEE doesn't change ''userPassword'' to ''LK'' when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.		My guess is that because DSEE doesn't change ''userPassword'' to ''LK'' when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.

-	The only way I can think of to disable this is to set '''PubkeyAuthentication no''' (SSH protocol 2) and '''RSAAuthentication no''' (if you allow SSH protocol 1) in ''sshd_config'', although this is is a step backward security-wise (i.e., using one-factor instead of two~~-factor authentication~~).	+	The only way I can think of to disable this is to set '''PubkeyAuthentication no''' (SSH protocol 2) and '''RSAAuthentication no''' (if you allow SSH protocol 1) in ''sshd_config'', although this is is a step backward security-wise (i.e., using one-factor authentication instead of two).

Hutch at 22:13, 13 December 2007

Hutch — Thu, 13 Dec 2007 22:13:44 GMT

←Older revision		Revision as of 22:13, 13 December 2007
Line 1:		Line 1:
		+	== Overview ==
		+
		+	Unless otherwise specified, these notes pertain to a Sun Directory Server Enterprise Edition (DSEE) 6.2 installation.
		+
	== Account Lockout ==		== Account Lockout ==

Line 34:		Line 38:
	replace: UserPassword		replace: UserPassword
	UserPassword: {SSHA}''XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''		UserPassword: {SSHA}''XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''
		+
		+	=== Why does my SSH public key work when my account is locked? ===
		+
		+	From ''sshd''(8):
		+	Regardless of the authentication type, the account is checked to ensure
		+	that it is accessible. An account is not accessible if it is locked,
		+	listed in DenyUsers or its group is listed in DenyGroups . The defini‐
		+	tion of a locked account is system dependant. Some platforms have their
		+	own account database (eg AIX) and some modify the passwd field ( ‘LK’
		+	on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a
		+	leading ‘LOCKED’ on FreeBSD and a leading ‘!!’ on Linux). If there is
		+	a requirement to disable password authentication for the account while
		+	allowing still public-key, then the passwd field should be set to some‐
		+	thing other than these values (eg ‘NP’ or ‘NP’ ).
		+
		+	My guess is that because DSEE doesn't change ''userPassword'' to ''LK'' when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.
		+
		+	The only way I can think of to disable this is to set '''PubkeyAuthentication no''' (SSH protocol 2) and '''RSAAuthentication no''' (if you allow SSH protocol 1) in ''sshd_config'', although this is is a step backward security-wise (i.e., using one-factor instead of two-factor authentication).

Hutch: /* How do you unlock the account? */

Hutch — Thu, 13 Dec 2007 21:11:39 GMT

How do you unlock the account?

←Older revision		Revision as of 21:11, 13 December 2007
Line 23:		Line 23:
	* Everything else I've tried, including deleting '''accountUnlockTime''', '''passwordRetryCount''', and '''RetryCountResetTime'''.		* Everything else I've tried, including deleting '''accountUnlockTime''', '''passwordRetryCount''', and '''RetryCountResetTime'''.

-	To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.	+	To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full ''userPassword'' entry, including the password hash, in the LDIF.
	e.g.,		e.g.,
	dn: uid=user1,ou=people,dc=subdomain,dc=example,dc=com		dn: uid=user1,ou=people,dc=subdomain,dc=example,dc=com

Hutch: /* How do you unlock the account? */

Hutch — Thu, 13 Dec 2007 21:11:13 GMT

How do you unlock the account?

←Older revision		Revision as of 21:11, 13 December 2007
Line 21:		Line 21:

	What doesn't work:		What doesn't work:
-	* Everything else I've tried, including deleting '''accountUnlockTime''', '''	+	* Everything else I've tried, including deleting '''accountUnlockTime''', '''passwordRetryCount''', and '''RetryCountResetTime'''.
-	passwordRetryCount''', and '''RetryCountResetTime'''.	+

	To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.		To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.

Hutch: New page: == Account Lockout == Assuming a Directory Server password policy of the following: pwd-lockout-duration : disabled pwd-lockout-enabled : on pwd-max-f...

Hutch — Thu, 13 Dec 2007 21:10:36 GMT

New page: == Account Lockout == Assuming a Directory Server password policy of the following: pwd-lockout-duration : disabled pwd-lockout-enabled : on pwd-max-f...

New page

== Account Lockout ==

Assuming a Directory Server password policy of the following:

pwd-lockout-duration : disabled
pwd-lockout-enabled : on
pwd-max-failure-count : 3

=== What happens when a user enters an incorrect password 3 times? ===
* The operational attribute '''accountUnlockTime''' is set to '''19700101000000Z'''.
* The operational attribute '''passwordRetryCount''' is set to '''3'''.

Other notes:
* Additional failed logins will not increment '''passwordRetryCount''' above '''pwd-max-failure-count'''.
* Locked accounts and inactive accounts are separate. A locked account can still be activated.

=== How do you unlock the account? ===

What works:
* Reset the '''userPassword''' using an appropriate LDIF.

What doesn't work:
* Everything else I've tried, including deleting '''accountUnlockTime''', '''
passwordRetryCount''', and '''RetryCountResetTime'''.

To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.
e.g.,
dn: uid=user1,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword
UserPassword: {crypt}''XXXXXXXXXXXXX''
-
dn: uid=user2,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword
UserPassword: {SSHA}''XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''