password policy
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
password policy
by John Beck-2
::
Rate this Message:
Can someone point me to some solid Openldap/pam_ldap/nss_ldap
documentation on password aging and lockout (after X failed attempts)? I've toyed with the ShadowMax, and other shadow attributes but it doesn't seem to make it to the RedHat clients. I can post any config files needed. Thanks, -John -- John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer Global Science and Technology (GST) jbeck@... Phone: 202.479.9030 #427 |
|
|
Re: password policy
by John Beck-2
::
Rate this Message:
I'm still trying to find some decent documentation on Password
expiry/lockouts. We're using the latest version of OpenLdap. We use ssh to log into our RedHat ES servers and they authenticate against our OpenLdap server. Using ssh to log in via ldap works fine, but shadowMax and shadowWarning messages never appear and are never enforced on the clients so our passwords are eternal. Any links to documentation or any information would be great as I've "Googled" this to no end. Thanks, -John John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer Global Science and Technology (GST) jbeck@... John Beck wrote: > Can someone point me to some solid Openldap/pam_ldap/nss_ldap > documentation on password aging and lockout (after X failed attempts)? > > I've toyed with the ShadowMax, and other shadow attributes but it > doesn't seem to make it to the RedHat clients. I can post any config > files needed. > > Thanks, > -John > |
|
|
Re: password policy
by Howard Chu
::
Rate this Message:
|
|
|
Re: password policy
by John Beck-2
::
Rate this Message:
I am using version 2.3.27 and have the password policy schema. Does your
answer mean I need to post to nss_ldap mailing lists or am I ok here? I just need to find a way to make users that login via ssh change their password every 90 days, and get locked out after 3 consecutive bad passwords. I saw the shadowMax, shadowExpire,etc.. and assumed that it was pam_ldap that picked those up. John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer Global Science and Technology (GST) jbeck@... Phone: 202.479.9030 #427 Howard Chu wrote: > John Beck wrote: >> I'm still trying to find some decent documentation on Password >> expiry/lockouts. >> >> We're using the latest version of OpenLdap. We use ssh to log into our >> RedHat ES servers and they authenticate against our OpenLdap server. >> Using ssh to log in via ldap works fine, but shadowMax and >> shadowWarning messages never appear and are never enforced on the >> clients so our passwords are eternal. > > shadowMax and shadowWarning attributes are part of the NIS schema. > pam_ldap doesn't know anything about them, only NSS uses them (via > nss_ldap). I.e., they will only have an effect if the user authenticates > via pam_unix and nss_ldap. If you want to use LDAP-native password > controls, you need to look into the Password Policy overlay in OpenLDAP. > > PS: post actual version numbers. People looking over these messages down > the road will have no idea what "the latest version of OpenLDAP" meant. > As a RedHat user, you probably don't either. The latest public version > is 2.3.27 right now. What version are you using? > >> >> Any links to documentation or any information would be great as I've >> "Googled" this to no end. >> >> Thanks, >> -John >> >> John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer >> Global Science and Technology (GST) >> jbeck@... >> >> John Beck wrote: >>> Can someone point me to some solid Openldap/pam_ldap/nss_ldap >>> documentation on password aging and lockout (after X failed attempts)? >>> >>> I've toyed with the ShadowMax, and other shadow attributes but it >>> doesn't seem to make it to the RedHat clients. I can post any config >>> files needed. >>> >>> Thanks, >>> -John >>> > |
|
|
RE: password policy
by Stephane PICARD
::
Rate this Message:
|
|
|
Re: password policy
by John Beck-2
::
Rate this Message:
I'm using RedHat ES 3/4 for clients. Authentication via ldap works fine
with ssh, but none of the shadowmax, shadowwarn, etc ever makes it back to the clients. Do I need to modify my /etc/pam.d/ssh file: #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer Global Science and Technology (GST) jbeck@... Phone: 202.479.9030 #427 John Beck wrote: > I am using version 2.3.27 and have the password policy schema. Does your > answer mean I need to post to nss_ldap mailing lists or am I ok here? > > I just need to find a way to make users that login via ssh change their > password every 90 days, and get locked out after 3 consecutive bad > passwords. I saw the shadowMax, shadowExpire,etc.. and assumed that it > was pam_ldap that picked those up. > > > John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer > Global Science and Technology (GST) > jbeck@... > Phone: 202.479.9030 #427 > > > Howard Chu wrote: >> John Beck wrote: >>> I'm still trying to find some decent documentation on Password >>> expiry/lockouts. >>> >>> We're using the latest version of OpenLdap. We use ssh to log into >>> our RedHat ES servers and they authenticate against our OpenLdap >>> server. Using ssh to log in via ldap works fine, but shadowMax and >>> shadowWarning messages never appear and are never enforced on the >>> clients so our passwords are eternal. >> >> shadowMax and shadowWarning attributes are part of the NIS schema. >> pam_ldap doesn't know anything about them, only NSS uses them (via >> nss_ldap). I.e., they will only have an effect if the user >> authenticates via pam_unix and nss_ldap. If you want to use >> LDAP-native password controls, you need to look into the Password >> Policy overlay in OpenLDAP. >> >> PS: post actual version numbers. People looking over these messages >> down the road will have no idea what "the latest version of OpenLDAP" >> meant. As a RedHat user, you probably don't either. The latest public >> version is 2.3.27 right now. What version are you using? >> >>> >>> Any links to documentation or any information would be great as I've >>> "Googled" this to no end. >>> >>> Thanks, >>> -John >>> >>> John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer >>> Global Science and Technology (GST) >>> jbeck@... >>> >>> John Beck wrote: >>>> Can someone point me to some solid Openldap/pam_ldap/nss_ldap >>>> documentation on password aging and lockout (after X failed attempts)? >>>> >>>> I've toyed with the ShadowMax, and other shadow attributes but it >>>> doesn't seem to make it to the RedHat clients. I can post any config >>>> files needed. >>>> >>>> Thanks, >>>> -John >>>> >> |
|
|
Re: password policy
by Patrick von der Hagen-2
::
Rate this Message:
John Beck schrieb:
> I'm using RedHat ES 3/4 for clients. Authentication via ldap works fine > with ssh, but none of the shadowmax, shadowwarn, etc ever makes it back > to the clients. Those values are NSS related and not PAM-issues. -- CU, Patrick. |
smime.p7s (4K) 
| Free Forum Powered by Nabble | Forum Help |