Pam unix with LDAP server account lockout

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(PAM Steps)
(PAM Steps)
Line 19: Line 19:
== PAM Steps ==
== PAM Steps ==
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute).
* The ''proxyagent'' account has read and search privileges for the ''userPassword'' attribute).
-
No change is needed; this will be enabled by default.
+
No change is needed; this is enabled by default.
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
* User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
Install the ''pam.conf'' file located [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view here], and make the following change in bold.
Install the ''pam.conf'' file located [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view here], and make the following change in bold.

Revision as of 16:17, 17 December 2007

Contents

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for ssh logins on the LDAP client:

  • The proxyagent account has read and search privileges for the userPassword attribute).
  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
  • The Directory Server must only store user passwords in crypt format.

DSEE Steps

  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.

Run the following commands on both Directory Servers:

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled
  • The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

  • The proxyagent account has read and search privileges for the userPassword attribute).

No change is needed; this is enabled by default.

  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.

Install the pam.conf file located here, and make the following change in bold.

other   auth sufficient         pam_unix_auth.so.1 server_policy

The default pam.conf file uses pam_unix which will not enforce the LDAP server's password policy; i.e., passwordRetryCount will not increment after an invalid password is entered, and the account will not lockout.

The server_policy module option to pam_unix_auth.so.1 ignores user accounts that only exist in LDAP. This allows the pam_ldap module stacked below to process the authentication attempt according to LDAP server policy. Without this change, users with locked accounts would still be able to authenticate, as we are essentially using pam_unix with LDAP server password controls.

OpenSSH Steps

  • Set UsePAM yes in sshd_config.

Without this setting, the account will never be locked (i.e., passwordRetryCount is never incremented).

  • Set PasswordAuthentication no in sshd_config.

Without this setting, users with locked accounts will be able to authenticate using PasswordAuthentication.

$ ssh hutchib@host
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(password) hutchib@host's password: 
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$
Personal tools