Pam unix with LDAP server account lockout

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(Overview)
Current revision (22:36, 3 March 2008) (edit) (undo)
(OpenSSH Steps)
 
(31 intermediate revisions not shown.)
Line 1: Line 1:
== Overview ==
== Overview ==
-
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements:
+
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:
-
* ''pam_unix'' must be used.
+
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.
-
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
+
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
 +
* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.
* The Directory Server must only store user passwords in ''crypt'' format.
* The Directory Server must only store user passwords in ''crypt'' format.
 +
 +
Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an auditor requirement mandating account lockout after 3 failed login attempts.
== DSEE Steps ==
== DSEE Steps ==
-
* User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
+
* User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
Run the following commands on both Directory Servers:
Run the following commands on both Directory Servers:
# '''dsconf set-server-prop pwd-lockout-enabled:on'''
# '''dsconf set-server-prop pwd-lockout-enabled:on'''
Line 18: Line 21:
== PAM Steps ==
== PAM Steps ==
-
* ''pam_unix'' must be used.
+
 
-
Make the following change in bold to the default ''/etc/pam.conf'':
+
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.
-
other auth required pam_unix_auth.so.1 '''server_policy'''
+
No change is needed; this is enabled by default.
 +
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
 +
* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.
 +
 
 +
Install the ''pam.conf'' file located [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view here], and make the following changes in bold. The default ''pam.conf'' file uses ''pam_unix'' which will not enforce the LDAP server's password policy; i.e., ''passwordRetryCount'' will not increment after an invalid password is entered, and the account will never lock.
 +
 
 +
#
 +
# Authentication management
 +
#
 +
# login service (explicit because of pam_dial_auth)
 +
#
 +
login auth required pam_authtok_get.so.1
 +
login auth required pam_dhkeys.so.1
 +
login auth required pam_dial_auth.so.1
 +
login auth sufficient pam_unix_auth.so.1 '''server_policy'''
 +
login auth required pam_ldap.so.1 <s>'''try_first_pass'''</s> '''use_first_pass'''
 +
#
 +
# rlogin service (explicit because of pam_rhost_auth)
 +
#
 +
rlogin auth sufficient pam_rhosts_auth.so.1
 +
rlogin auth required pam_authtok_get.so.1
 +
rlogin auth required pam_dhkeys.so.1
 +
rlogin auth sufficient pam_unix_auth.so.1 '''server_policy'''
 +
rlogin auth required pam_ldap.so.1 <s>'''try_first_pass'''</s> '''use_first_pass'''
 +
#
 +
# rsh service (explicit because of pam_rhost_auth)
 +
#
 +
rsh auth sufficient pam_rhosts_auth.so.1
 +
rsh auth required pam_authtok_get.so.1
 +
rsh auth required pam_dhkeys.so.1
 +
rsh auth sufficient pam_unix_auth.so.1 '''server_policy'''
 +
rsh auth required pam_ldap.so.1 <s>'''try_first_pass'''</s> '''use_first_pass'''
 +
#
 +
# PPP service (explicit because of pam_dial_auth)
 +
#
 +
ppp auth required pam_authtok_get.so.1
 +
ppp auth required pam_dhkeys.so.1
 +
ppp auth required pam_dial_auth.so.1
 +
ppp auth sufficient pam_unix_auth.so.1 '''server_policy'''
 +
ppp auth required pam_ldap.so.1 <s>'''try_first_pass'''</s> '''use_first_pass'''
 +
#
 +
# Default definitions for Authentication management
 +
# Used when service name is not explicitly mentioned for authenctication
 +
 +
#
 +
other auth required pam_authtok_get.so.1
 +
other auth required pam_dhkeys.so.1
 +
other auth sufficient pam_unix_auth.so.1 '''server_policy'''
 +
other auth required pam_ldap.so.1 <s>'''try_first_pass'''</s> '''use_first_pass'''
 +
#
 +
# passwd command (explicit because of a different authentication module)
 +
 +
#
 +
passwd auth sufficient pam_passwd_auth.so.1
 +
<s>'''passwd auth required pam_ldap.so.1 try_first_pass'''</s>
 +
#
 +
# cron service (explicit because of non-usage of pam_roles.so.1)
 +
#
 +
cron account required pam_projects.so.1
 +
cron account required pam_unix_account.so.1
 +
#
 +
# Default definition for Account management
 +
# Used when service name is not explicitly mentioned for account management
 +
#
 +
other account requisite pam_roles.so.1
 +
other account required pam_projects.so.1
 +
other account required pam_unix_account.so.1
 +
#
 +
# Default definition for Session management
 +
# Used when service name is not explicitly mentioned for session management
 +
#
 +
other session required pam_unix_session.so.1
 +
#
 +
# Default definition for Password management
 +
# Used when service name is not explicitly mentioned for password management
 +
#
 +
other password required pam_dhkeys.so.1
 +
other password required pam_authtok_get.so.1
 +
other password required pam_authtok_check.so.1
 +
other password sufficient pam_authtok_store.so.1
 +
<s>'''other password required pam_ldap.so.1'''</s>
 +
#
 +
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
 +
#
 +
#rlogin auth optional pam_krb5.so.1 try_first_pass
 +
#login auth optional pam_krb5.so.1 try_first_pass
 +
#other auth optional pam_krb5.so.1 try_first_pass
 +
#cron account optional pam_krb5.so.1
 +
#other account optional pam_krb5.so.1
 +
#other session optional pam_krb5.so.1
 +
#other password optional pam_krb5.so.1 try_first_pass
 +
 
 +
=== Explanation of ''pam.conf'' changes ===
 +
 
 +
* The ''try_first_pass'' module option causes ''pam_ldap.so.1'' to prompt for the user's password an additional time when the account is not locked.
 +
 
 +
Example (the ''user'' account is not locked):
 +
 +
$ '''ssh user@host'''
 +
Password:
 +
'''LDAP Password:'''
 +
Password:
 +
Password:
 +
Permission denied (publickey,keyboard-interactive,hostbased).
 +
 
 +
Example (the ''user'' account is locked):
 +
 
 +
$ '''ssh user@host'''
 +
Password:
 +
Password:
 +
Password:
 +
Permission denied (publickey,keyboard-interactive,hostbased).
 +
 
 +
The presence of the additional ''LDAP Password:'' prompt causes problems with the legacy application in this example. The module option ''use_first_pass'' must be used, as ''try_first_pass'' is the default even if it is not specified.
 +
 
 +
From ''pam_ldap''(5):
 +
use_first_pass
 +
Authenticate to the directory by using the password
 +
that the user initially entered when the user authen-
 +
ticated to the first authentication module in the
 +
stack. If the authentication fails, or if no password
 +
has been entered, it quits. The user is not prompted
 +
for another password.
 +
 +
try_first_pass
 +
Authenticate to the directory by using the password
 +
the user initially entered when the user authenticated
 +
to the first authentication module in the stack. If
 +
the authentication fails, or if no password has been
 +
entered, the user is prompted for another password.
 +
 
 +
* The ''server_policy'' module option causes ''pam_unix_auth.so.1'' to ignore user accounts that only exist in LDAP. This allows the ''pam_ldap'' module stacked below to process the authentication attempt according to LDAP server policy.
 +
 
 +
Without this change, users with locked accounts would still be able to authenticate; ''pam_unix'' authentication would succeed because ''userPassword'' is readable and in ''crypt'' format.
 +
 
 +
* The ''passwd auth required pam_ldap.so.1 try_first_pass'' and ''other password required pam_ldap.so.1'' lines are commented or removed because if they are present, it is possible to lock out the account using the ''passwd'' program. Note that as a side effect of this change, you cannot enforce LDAP server password policy when using ''passwd'' (e.g., password history, password complexity, etc.).
== OpenSSH Steps ==
== OpenSSH Steps ==
* Set '''UsePAM yes''' in ''sshd_config''.
* Set '''UsePAM yes''' in ''sshd_config''.
-
Without this setting, the user will never be locked out (i.e., ''passwordRetryCount'' is never incremented).
+
Without this setting, the account will never be locked (i.e., ''passwordRetryCount'' is never incremented).
* Set '''PasswordAuthentication no''' in ''sshd_config''.
* Set '''PasswordAuthentication no''' in ''sshd_config''.
Without this setting, users with locked accounts will be able to authenticate using ''PasswordAuthentication''.
Without this setting, users with locked accounts will be able to authenticate using ''PasswordAuthentication''.
Line 35: Line 173:
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$
bash-2.03$
 +
 +
Note: If the user you are attempting to authenticate as using ssh is denied via the ssh directives ''DenyUsers'', ''AllowUsers'', ''DenyGroups'', or ''AllowGroups'', the account will not lock in LDAP regardless of how many incorrect passwords are entered.

Current revision

Contents

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:

  • The proxyagent account has read and search privileges for the userPassword attribute.
  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
  • Unsuccessful password resets using the passwd command must never cause the account to lock.
  • The Directory Server must only store user passwords in crypt format.

Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an auditor requirement mandating account lockout after 3 failed login attempts.

DSEE Steps

  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Run the following commands on both Directory Servers:

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled
  • The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

  • The proxyagent account has read and search privileges for the userPassword attribute.

No change is needed; this is enabled by default.

  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
  • Unsuccessful password resets using the passwd command must never cause the account to lock.

Install the pam.conf file located here, and make the following changes in bold. The default pam.conf file uses pam_unix which will not enforce the LDAP server's password policy; i.e., passwordRetryCount will not increment after an invalid password is entered, and the account will never lock.

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1 server_policy
rsh     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1 server_policy
ppp     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Explanation of pam.conf changes

  • The try_first_pass module option causes pam_ldap.so.1 to prompt for the user's password an additional time when the account is not locked.

Example (the user account is not locked):

$ ssh user@host
Password: 
LDAP Password:
Password: 
Password: 
Permission denied (publickey,keyboard-interactive,hostbased).

Example (the user account is locked):

$ ssh user@host
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive,hostbased).

The presence of the additional LDAP Password: prompt causes problems with the legacy application in this example. The module option use_first_pass must be used, as try_first_pass is the default even if it is not specified.

From pam_ldap(5):

    use_first_pass
          Authenticate to the directory by  using  the  password
          that  the user initially entered when the user authen-
          ticated to the  first  authentication  module  in  the
          stack.  If the authentication fails, or if no password
          has been entered, it quits. The user is  not  prompted
          for another password.

    try_first_pass
          Authenticate to the directory by  using  the  password
          the user initially entered when the user authenticated
          to the first authentication module in  the  stack.  If
          the  authentication  fails, or if no password has been
          entered, the user is prompted for another password.
  • The server_policy module option causes pam_unix_auth.so.1 to ignore user accounts that only exist in LDAP. This allows the pam_ldap module stacked below to process the authentication attempt according to LDAP server policy.

Without this change, users with locked accounts would still be able to authenticate; pam_unix authentication would succeed because userPassword is readable and in crypt format.

  • The passwd auth required pam_ldap.so.1 try_first_pass and other password required pam_ldap.so.1 lines are commented or removed because if they are present, it is possible to lock out the account using the passwd program. Note that as a side effect of this change, you cannot enforce LDAP server password policy when using passwd (e.g., password history, password complexity, etc.).

OpenSSH Steps

  • Set UsePAM yes in sshd_config.

Without this setting, the account will never be locked (i.e., passwordRetryCount is never incremented).

  • Set PasswordAuthentication no in sshd_config.

Without this setting, users with locked accounts will be able to authenticate using PasswordAuthentication.

$ ssh hutchib@host
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(password) hutchib@host's password: 
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$

Note: If the user you are attempting to authenticate as using ssh is denied via the ssh directives DenyUsers, AllowUsers, DenyGroups, or AllowGroups, the account will not lock in LDAP regardless of how many incorrect passwords are entered.

Personal tools