Pam unix with LDAP server account lockout
From Brandonhutchinson.com
| Line 22: | Line 22: | ||
other auth required pam_unix_auth.so.1 '''server_policy''' | other auth required pam_unix_auth.so.1 '''server_policy''' | ||
| + | == OpenSSH Steps == | ||
| + | * Set '''UsePAM yes''' in ''sshd_config''. | ||
| + | Without this setting, the user will never be locked out (i.e., ''passwordretrycount'' is never incremented). | ||
| + | * Set '''PasswordAuthentication no''' in ''sshd_config''. | ||
| + | Without this setting, ''PasswordAuthentication'' will succeed | ||
| + | $ '''ssh hutchib@host''' | ||
| + | (keyboard-interactive) Password: | ||
| + | (keyboard-interactive) Password: | ||
| + | (keyboard-interactive) Password: | ||
| + | (password) hutchib@host's password: | ||
| + | Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100 | ||
| + | bash-2.03$ | ||
| - | + | ake sure '''UsePAM''' is set to '''yes''' in sshd_config '''UsePAM yes'''In order to support a legacy application, I have to meet the following requirements: | |
| - | + | ||
| - | In order to support a legacy application, I have to meet the following requirements: | + | |
* ''pam_unix'' must be used. | * ''pam_unix'' must be used. | ||
Make the following change in bold to the default ''/etc/pam.conf'': | Make the following change in bold to the default ''/etc/pam.conf'': | ||
other auth required pam_unix_auth.so.1 '''server_policy''' | other auth required pam_unix_auth.so.1 '''server_policy''' | ||
Revision as of 22:43, 14 December 2007
Contents |
Overview
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following requirements:
- pam_unix must be used.
- User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
- The Directory Server must only store user passwords in crypt format.
DSEE Steps
- User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
Run the following commands on both Directory Servers:
# dsconf set-server-prop pwd-lockout-enabled:on # dsconf set-server-prop pwd-max-failure-count:3 # dsconf set-server-prop pwd-lockout-duration:disabled
- The Directory Server must only store user passwords in crypt format.
The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:
# dsconf set-server-prop pwd-storage-scheme:crypt
PAM Steps
- pam_unix must be used.
Make the following change in bold to the default /etc/pam.conf:
other auth required pam_unix_auth.so.1 server_policy
OpenSSH Steps
- Set UsePAM yes in sshd_config.
Without this setting, the user will never be locked out (i.e., passwordretrycount is never incremented).
- Set PasswordAuthentication no in sshd_config.
Without this setting, PasswordAuthentication will succeed
$ ssh hutchib@host (keyboard-interactive) Password: (keyboard-interactive) Password: (keyboard-interactive) Password: (password) hutchib@host's password: Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100 bash-2.03$
ake sure UsePAM is set to yes in sshd_config UsePAM yesIn order to support a legacy application, I have to meet the following requirements:
- pam_unix must be used.
Make the following change in bold to the default /etc/pam.conf:
other auth required pam_unix_auth.so.1 server_policy
