Doug OLeary wrote:
Hey; When using local accounts, ssh honors password expiration even if using public key authentication. This is the case at least on HPUX, Solaris, and various flavors of Linux. This is a good thing. I won't go through all the security reasons why passwords should periodically change. Suffice to say that they should and most companies have policies regarding password expiration. When using openldap, however, if a user is configured to use public key authentication, he is allowed access to the account regardless of the password aging and/or pwdReset parameter. Is there a way to force openssh to honor these settings like it does for local accounts?
If you want to know how to control OpenSSH settings, it seems to me you should ask on an OpenSSH mailing list.
Test environment is centos6.5 running on a kvm tying into an openldap server ver 2.4.23. My test environment is certainly following the symptoms of my client's unboundid server supporting a variety of linux platforms - all rhel based - from ver 4 through 6. Any help greatly appreciated. Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/