[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open(ldap|ssh) interaction



Doug OLeary wrote:
Hey;

When using local accounts, ssh honors password expiration even if using
public key authentication.  This is the case at least on HPUX, Solaris, and
various flavors of Linux.  This is a good thing.  I won't go through all the
security reasons why passwords should periodically change.  Suffice to say
that they should and most companies have policies regarding password
expiration.

When using openldap, however, if a user is configured to use public key
authentication, he is allowed access to the account regardless of the password
aging and/or pwdReset parameter.

Is there a way to force openssh to honor these settings like it does for
local accounts?

If you want to know how to control OpenSSH settings, it seems to me you should ask on an OpenSSH mailing list.

Test environment is centos6.5 running on a kvm tying into an openldap server
ver 2.4.23.  My test environment is certainly following the symptoms of my
client's unboundid server supporting a variety of linux platforms - all rhel
based - from ver 4 through 6.

Any help greatly appreciated.

Doug O'Leary
------------
Senior UNIX/Security Admin
CISSP, CISA, RHCSA, CEH
O'Leary Computers Inc
dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
linkedin: http://www.linkedin.com/in/dkoleary
resume: http://www.olearycomputers.com/resume.html


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/