[Date Prev][Date Next] [Chronological] [Thread] [Top]

open(ldap|ssh) interaction



Hey;

When using local accounts, ssh honors password expiration even if using
public key authentication.  This is the case at least on HPUX, Solaris, and
various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration.

When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter.

Is there a way to force openssh to honor these settings like it does for
local accounts?

Test environment is centos6.5 running on a kvm tying into an openldap server
ver 2.4.23.  My test environment is certainly following the symptoms of my
client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6.

Any help greatly appreciated.

Doug O'Leary
------------
Senior UNIX/Security Admin
CISSP, CISA, RHCSA, CEH
O'Leary Computers Inc
dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
linkedin: http://www.linkedin.com/in/dkoleary
resume: http://www.olearycomputers.com/resume.html