DSEE Notes

From Brandonhutchinson.com

Revision as of 22:16, 13 December 2007 by Hutch (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search



Unless otherwise specified, these notes pertain to a Sun Directory Server Enterprise Edition (DSEE) 6.2 installation.

Account Lockout

Assuming a Directory Server password policy of the following:

pwd-lockout-duration               :  disabled  
pwd-lockout-enabled                :  on
pwd-max-failure-count              :  3  

What happens when a user enters an incorrect password 3 times?

  • The operational attribute accountUnlockTime is set to 19700101000000Z.
  • The operational attribute passwordRetryCount is set to 3.

Other notes:

  • Additional failed logins will not increment passwordRetryCount above pwd-max-failure-count.
  • Locked accounts and inactive accounts are separate. A locked account can still be activated.

How do you unlock the account?

What works:

  • Reset the userPassword using an appropriate LDIF.

What doesn't work:

  • Everything else I've tried, including deleting accountUnlockTime, passwordRetryCount, and RetryCountResetTime.

To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., pwd-max-history-count is disabled), include the full userPassword entry, including the password hash, in the LDIF. e.g.,

dn: uid=user1,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword
UserPassword: {crypt}XXXXXXXXXXXXX
dn: uid=user2,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword

Why does my SSH public key work when my account is locked?

From sshd(8):

    Regardless of the authentication type, the account is checked to ensure
    that it is accessible.  An account is not accessible if it is locked,
    listed in DenyUsers or its group is listed in DenyGroups .  The defini‐
    tion of a locked account is system dependant. Some platforms have their
    own account database (eg AIX) and some modify the passwd field ( ‘*LK*’
    on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a
    leading ‘*LOCKED*’ on FreeBSD and a leading ‘!!’ on Linux).  If there is
    a requirement to disable password authentication for the account while
    allowing still public-key, then the passwd field should be set to some‐
    thing other than these values (eg ‘NP’ or ‘*NP*’ ).

My guess is that because DSEE doesn't change userPassword to *LK* when an account is locked, the SSH server considers the account "accessible," and permits public key authentication.

The only way I can think of to disable this behavior is to require password authentication by setting PubkeyAuthentication no (SSH protocol 2) and RSAAuthentication no (if you allow SSH protocol 1) in sshd_config. This would be a backward security-wise, as you would use one-factor authentication instead of two.

Personal tools