Pam unix with LDAP server account lockout

From Brandonhutchinson.com

Revision as of 00:12, 18 December 2007 by Hutch (Talk | contribs)
Jump to: navigation, search

Contents

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following authentication requirements for logins on the LDAP client:

  • The proxyagent account has read and search privileges for the userPassword attribute).
  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.
  • The Directory Server must only store user passwords in crypt format.

DSEE Steps

  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Run the following commands on both Directory Servers:

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled
  • The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

  • The proxyagent account has read and search privileges for the userPassword attribute).

No change is needed; this is enabled by default.

  • User accounts should be locked indefinitely (i.e., the administrator must unlock the account) after 3 failed attempts.

Install the pam.conf file located here, and make the following changes in bold.

login   auth sufficient         pam_unix_auth.so.1 
rlogin  auth sufficient         pam_unix_auth.so.1 server_policy
rsh     auth sufficient         pam_unix_auth.so.1 server_policy
ppp     auth sufficient         pam_unix_auth.so.1 server_policy
other   auth sufficient         pam_unix_auth.so.1 server_policy
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1 server_policy
rsh     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1 server_policy
ppp     auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 try_first_pass use_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass


The default pam.conf file uses pam_unix which will not enforce the LDAP server's password policy; i.e., passwordRetryCount will not increment after an invalid password is entered, and the account will never lock.

The server_policy module option causes pam_unix_auth.so.1 to ignore user accounts that only exist in LDAP. This allows the pam_ldap module stacked below to process the authentication attempt according to LDAP server policy.

Without this change, users with locked accounts would still be able to authenticate; pam_unix authentication would succeed because userPassword is readable and in crypt format.

OpenSSH Steps

  • Set UsePAM yes in sshd_config.

Without this setting, the account will never be locked (i.e., passwordRetryCount is never incremented).

  • Set PasswordAuthentication no in sshd_config.

Without this setting, users with locked accounts will be able to authenticate using PasswordAuthentication.

$ ssh hutchib@host
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(keyboard-interactive) Password: 
(password) hutchib@host's password: 
Last login: Fri Dec 14 16:41:08 2007 from 10.0.0.100
bash-2.03$
Personal tools