Antw: open(ldap|ssh) interaction

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

>>> Doug OLeary <dkoleary@olearycomputers.com> schrieb am 11.03.2014 um 01:05 in
Nachricht <alpine.LRH.2.03.1403101830130.16106@olearycomputers.com>:
> Hey;
> 
> When using local accounts, ssh honors password expiration even if using
> public key authentication.  This is the case at least on HPUX, Solaris, and
> various flavors of Linux.  This is a good thing.  I won't go through all the 
> 
> security reasons why passwords should periodically change.  Suffice to say 
> that they should and most companies have policies regarding password 
> expiration.
> 
> When using openldap, however, if a user is configured to use public key 
> authentication, he is allowed access to the account regardless of the 
> password 
> aging and/or pwdReset parameter.

I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).

> 
> Is there a way to force openssh to honor these settings like it does for
> local accounts?

I guess it's a question of PAM.

> 
> Test environment is centos6.5 running on a kvm tying into an openldap server
> ver 2.4.23.  My test environment is certainly following the symptoms of my
> client's unboundid server supporting a variety of linux platforms - all rhel 
> based - from ver 4 through 6.
> 
> Any help greatly appreciated.
> 
> Doug O'Leary
> ------------
> Senior UNIX/Security Admin
> CISSP, CISA, RHCSA, CEH
> O'Leary Computers Inc
> dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
> linkedin: http://www.linkedin.com/in/dkoleary 
> resume: http://www.olearycomputers.com/resume.html