Pam unix with LDAP server account lockout

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (22:36, 3 March 2008) (edit) (undo)
(OpenSSH Steps)
 
(4 intermediate revisions not shown.)
Line 2: Line 2:
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:
-
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute).
+
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute.
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.
* Unsuccessful password resets using the ''passwd'' command must never cause the account to lock.
* The Directory Server must only store user passwords in ''crypt'' format.
* The Directory Server must only store user passwords in ''crypt'' format.
-
Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an audit requirement mandating account lockout after 3 failed login attempts.
+
Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an auditor requirement mandating account lockout after 3 failed login attempts.
== DSEE Steps ==
== DSEE Steps ==
Line 103: Line 103:
other password required pam_authtok_check.so.1
other password required pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
other password sufficient pam_authtok_store.so.1
-
<s>other password required pam_ldap.so.1'''</s>
+
<s>'''other password required pam_ldap.so.1'''</s>
#
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
Line 173: Line 173:
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$
bash-2.03$
 +
 +
Note: If the user you are attempting to authenticate as using ssh is denied via the ssh directives ''DenyUsers'', ''AllowUsers'', ''DenyGroups'', or ''AllowGroups'', the account will not lock in LDAP regardless of how many incorrect passwords are entered.

Current revision

Contents

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:

  • The proxyagent account has read and search privileges for the userPassword attribute.
  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
  • Unsuccessful password resets using the passwd command must never cause the account to lock.
  • The Directory Server must only store user passwords in crypt format.

Note: this is a horrible LDAP "implementation" that is only being used to support a legacy application and an auditor requirement mandating account lockout after 3 failed login attempts.

DSEE Steps

  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Run the following commands on both Directory Servers: 

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled
  • The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers: 

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

  • The proxyagent account has read and search privileges for the userPassword attribute.

No change is needed; this is enabled by default.

  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
  • Unsuccessful password resets using the passwd command must never cause the account to lock.

Install the pam.conf file located here, and make the following changes in bold. The default pam.conf file uses pam_unix which will not enforce the LDAP server's password policy; i.e., passwordRetryCount will not increment after an invalid password is entered, and the account will never lock. 

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1 server_policy
rsh     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1 server_policy
ppp     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Explanation of pam.conf changes

  • The try_first_pass module option causes pam_ldap.so.1 to prompt for the user's password an additional time when the account is not locked.

Example (the user account is not locked): 

$ ssh user@host
Password: 
LDAP Password:
Password: 
Password: 
Permission denied (publickey,keyboard-interactive,hostbased).

Example (the user account is locked): 

$ ssh user@host
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive,hostbased).

The presence of the additional LDAP Password: prompt causes problems with the legacy application in this example. The module option use_first_pass must be used, as try_first_pass is the default even if it is not specified.

From pam_ldap(5): 

    use_first_pass
          Authenticate to the directory by  using  the  password
          that  the user initially entered when the user authen-
          ticated to the  first  authentication  module  in  the
          stack.  If the authentication fails, or if no password
          has been entered, it quits. The user is  not  prompted
          for another password.

    try_first_pass
          Authenticate to the directory by  using  the  password
          the user initially entered when the user authenticated
          to the first authentication module in  the  stack.  If
          the  authentication  fails, or if no password has been
          entered, the user is prompted for another password.
  • The server_policy module option causes pam_unix_auth.so.1 to ignore user accounts that only exist in LDAP. This allows the pam_ldap module stacked below to process the authentication attempt according to LDAP server policy.

Without this change, users with locked accounts would still be able to authenticate; pam_unix authentication would succeed because userPassword is readable and in crypt format.

  • The passwd auth required pam_ldap.so.1 try_first_pass and other password required pam_ldap.so.1 lines are commented or removed because if they are present, it is possible to lock out the account using the passwd program. Note that as a side effect of this change, you cannot enforce LDAP server password policy when using passwd (e.g., password history, password complexity, etc.).

OpenSSH Steps

  • Set UsePAM yes in sshd_config.

Without this setting, the account will never be locked (i.e., passwordRetryCount is never incremented).

  • Set PasswordAuthentication no in sshd_config.

Without this setting, users with locked accounts will be able to authenticate using PasswordAuthentication. 

$ ssh hutchib@host
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(password) hutchib@host's password: 
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$

Note: If the user you are attempting to authenticate as using ssh is denied via the ssh directives DenyUsers, AllowUsers, DenyGroups, or AllowGroups, the account will not lock in LDAP regardless of how many incorrect passwords are entered.

Retrieved from "http://brandonhutchinson.com/wiki/Pam_unix_with_LDAP_server_account_lockout"
Personal tools