Pam unix with LDAP server account lockout - Revision history

Hutch: /* OpenSSH Steps */

2008-03-03T22:36:59Z

OpenSSH Steps

←Older revision		Revision as of 22:36, 3 March 2008
Line 173:		Line 173:
	Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100		Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
	bash-2.03$		bash-2.03$
		+
		+	Note: If the user you are attempting to authenticate as using ssh is denied via the ssh directives ''DenyUsers'', ''AllowUsers'', ''DenyGroups'', or ''AllowGroups'', the account will not lock in LDAP regardless of how many incorrect passwords are entered.

Hutch: /* Overview */

2007-12-18T19:50:58Z

Overview

←Older revision		Revision as of 19:50, 18 December 2007
Line 7:		Line 7:
	* The Directory Server must only store user passwords in ''crypt'' format.		* The Directory Server must only store user passwords in ''crypt'' format.

-	Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an ~~audit~~ requirement mandating account lockout after 3 failed login attempts.	+	Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an auditor requirement mandating account lockout after 3 failed login attempts.

	== DSEE Steps ==		== DSEE Steps ==

Hutch: /* Overview */

2007-12-18T19:50:13Z

Overview

←Older revision		Revision as of 19:50, 18 December 2007
Line 2:		Line 2:

	In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:		In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:
-	* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute).	+	* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.
	* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.		* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
	* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.		* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.

Hutch: Pam unix with LDAP server password controls moved to Pam unix with LDAP server account lockout

2007-12-18T00:36:49Z

Pam unix with LDAP server password controls moved to Pam unix with LDAP server account lockout

←Older revision

Revision as of 00:36, 18 December 2007

Hutch: /* PAM Steps */

2007-12-18T00:35:52Z

PAM Steps

←Older revision		Revision as of 00:35, 18 December 2007
Line 103:		Line 103:
	other password required pam_authtok_check.so.1		other password required pam_authtok_check.so.1
	other password sufficient pam_authtok_store.so.1		other password sufficient pam_authtok_store.so.1
-	<s>other password required pam_ldap.so.1'''</s>	+	<s>'''other password required pam_ldap.so.1'''</s>
	#		#
	# Support for Kerberos V5 authentication (uncomment to use Kerberos)		# Support for Kerberos V5 authentication (uncomment to use Kerberos)

Hutch at 00:34, 18 December 2007

2007-12-18T00:34:53Z

←Older revision		Revision as of 00:34, 18 December 2007
Line 6:		Line 6:
	* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.		* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.
	* The Directory Server must only store user passwords in ''crypt'' format.		* The Directory Server must only store user passwords in ''crypt'' format.
		+
		+	Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an audit requirement mandating account lockout after 3 failed login attempts.

	== DSEE Steps ==		== DSEE Steps ==

Hutch: /* PAM Steps */

2007-12-18T00:32:22Z

PAM Steps

←Older revision		Revision as of 00:32, 18 December 2007
Line 101:		Line 101:
	other password required pam_authtok_check.so.1		other password required pam_authtok_check.so.1
	other password sufficient pam_authtok_store.so.1		other password sufficient pam_authtok_store.so.1
-	other password required pam_ldap.so.1	+	<s>other password required pam_ldap.so.1'''</s>
	#		#
	# Support for Kerberos V5 authentication (uncomment to use Kerberos)		# Support for Kerberos V5 authentication (uncomment to use Kerberos)
Line 152:		Line 152:
	entered, the user is prompted for another password.		entered, the user is prompted for another password.

-		+	* The ''server_policy'' module option causes ''pam_unix_auth.so.1'' to ignore user accounts that only exist in LDAP. This allows the ''pam_ldap'' module stacked below to process the authentication attempt according to LDAP server policy.
-		+
-	The ''server_policy'' module option causes ''pam_unix_auth.so.1'' to ignore user accounts that only exist in LDAP. This allows the ''pam_ldap'' module stacked below to process the authentication attempt according to LDAP server policy.	+

	Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.		Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.

Hutch: /* PAM Steps */

2007-12-18T00:30:54Z

PAM Steps

←Older revision		Revision as of 00:30, 18 December 2007
Line 19:		Line 19:

	== PAM Steps ==		== PAM Steps ==
		+
	* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.		* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.
	No change is needed; this is enabled by default.		No change is needed; this is enabled by default.
Line 24:		Line 25:
	* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.		* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.

-	Install the ''pam.conf'' file located [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view here], and make the following changes in bold.	+	Install the ''pam.conf'' file located [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view here], and make the following changes in bold. The default ''pam.conf'' file uses ''pam_unix'' which will not enforce the LDAP server's password policy; i.e., ''passwordRetryCount'' will not increment after an invalid password is entered, and the account will never lock.

	#		#

Hutch: /* PAM Steps */

2007-12-18T00:30:21Z

PAM Steps

←Older revision		Revision as of 00:30, 18 December 2007
Line 112:		Line 112:
	#other password optional pam_krb5.so.1 try_first_pass		#other password optional pam_krb5.so.1 try_first_pass

-	~~The~~ ''~~try_first_pass'' module option causes ''pam_ldap~~.~~so.1~~'' ~~to prompt for the user's password an additional time when the account is not locked.~~	+	=== Explanation of ''pam.conf'' changes ===

-	* Example (the ''user'' account is not locked):	+	* The ''try_first_pass'' module option causes ''pam_ldap.so.1'' to prompt for the user's password an additional time when the account is not locked.
		+
		+	Example (the ''user'' account is not locked):

	$ '''ssh user@host'''		$ '''ssh user@host'''
Line 123:		Line 125:
	Permission denied (publickey,keyboard-interactive,hostbased).		Permission denied (publickey,keyboard-interactive,hostbased).

-	* Example (the ''user'' account is locked):	+	Example (the ''user'' account is locked):

	$ '''ssh user@host'''		$ '''ssh user@host'''
Line 131:		Line 133:
	Permission denied (publickey,keyboard-interactive,hostbased).		Permission denied (publickey,keyboard-interactive,hostbased).

-	The presence of the additional ''LDAP Password:'' prompt ~~apparently~~ causes problems with the legacy application. The module option ''use_first_pass'' must be used, as ''try_first_pass'' is the default even if it is not specified.	+	The presence of the additional ''LDAP Password:'' prompt causes problems with the legacy application in this example. The module option ''use_first_pass'' must be used, as ''try_first_pass'' is the default even if it is not specified.

	From ''pam_ldap''(5):		From ''pam_ldap''(5):
Line 149:		Line 151:
	entered, the user is prompted for another password.		entered, the user is prompted for another password.

-	* The default ''pam.conf'' file uses ''pam_unix'' which will not enforce the LDAP server's password policy; i.e., ''passwordRetryCount'' will not increment after an invalid password is entered, and the account will never lock.

-	* The ''server_policy'' module option causes ''pam_unix_auth.so.1'' to ignore user accounts that only exist in LDAP. This allows the ''pam_ldap'' module stacked below to process the authentication attempt according to LDAP server policy.	+
		+	The ''server_policy'' module option causes ''pam_unix_auth.so.1'' to ignore user accounts that only exist in LDAP. This allows the ''pam_ldap'' module stacked below to process the authentication attempt according to LDAP server policy.

	Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.		Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.

Hutch: /* PAM Steps */

2007-12-18T00:27:51Z

PAM Steps

←Older revision		Revision as of 00:27, 18 December 2007
Line 74:		Line 74:
	#		#
	passwd auth sufficient pam_passwd_auth.so.1		passwd auth sufficient pam_passwd_auth.so.1
-	passwd auth required pam_ldap.so.1 try_first_pass	+	<s>'''passwd auth required pam_ldap.so.1 try_first_pass'''</s>
	#		#
	# cron service (explicit because of non-usage of pam_roles.so.1)		# cron service (explicit because of non-usage of pam_roles.so.1)
Line 154:		Line 154:

	Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.		Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.
		+
		+	* The ''passwd auth required pam_ldap.so.1 try_first_pass'' and ''other password required pam_ldap.so.1'' lines are commented or removed because if they are present, it is possible to lock out the account using the ''passwd'' program. Note that as a side effect of this change, you cannot enforce LDAP server password policy when using ''passwd'' (e.g., password history, password complexity, etc.).

	== OpenSSH Steps ==		== OpenSSH Steps ==