Pam unix with LDAP server account lockout

From Brandonhutchinson.com

Revision as of 16:27, 17 December 2007 (edit) Hutch (Talk | contribs) ← Previous diff

Revision as of 16:28, 17 December 2007 (edit) (undo) Hutch (Talk | contribs) m (Pam unix-only setup moved to Pam unix with LDAP server password controls) Next diff →

---

Revision as of 16:28, 17 December 2007

Contents 1 Overview 2 DSEE Steps 3 PAM Steps 4 OpenSSH Steps

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:

• The proxyagent account has read and search privileges for the userPassword attribute).
• User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
• The Directory Server must only store user passwords in crypt format.

DSEE Steps

• User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Run the following commands on both Directory Servers:

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled

• The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

• The proxyagent account has read and search privileges for the userPassword attribute).

No change is needed; this is enabled by default.

• User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Install the pam.conf file located here, and make the following changes in bold.

login   auth sufficient         pam_unix_auth.so.1 server_policy
rlogin  auth sufficient         pam_unix_auth.so.1 server_policy
rsh     auth sufficient         pam_unix_auth.so.1 server_policy
ppp     auth sufficient         pam_unix_auth.so.1 server_policy
other   auth sufficient         pam_unix_auth.so.1 server_policy

The default pam.conf file uses pam_unix which will not enforce the LDAP server's password policy; i.e., passwordRetryCount will not increment after an invalid password is entered, and the account will never lock.

The server_policy module option causes pam_unix_auth.so.1 to ignore user accounts that only exist in LDAP. This allows the pam_ldap module stacked below to process the authentication attempt according to LDAP server policy.

Without this change, users with locked accounts would still be able to authenticate; pam_unix authentication would succeed because userPassword is readable and in crypt format.

OpenSSH Steps

• Set UsePAM yes in sshd_config.

Without this setting, the account will never be locked (i.e., passwordRetryCount is never incremented).

• Set PasswordAuthentication no in sshd_config.

Without this setting, users with locked accounts will be able to authenticate using PasswordAuthentication.

$ ssh hutchib@host
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(password) hutchib@host's password: 
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$