Hi all, We are currently migrating all our RHEL 5 Linux Servers to a central Sun One Directory Server (LDAP) So far everything works well (we are using compat mode to restrict access)
But now after a while, we ran into a problem when using ssh with key based authentication. With the setup we are using, the system can calculate the password age by looking at shadowLastChange and shadowMax attribute, both available in LDAP. When the password is expired, the users gets a prompt during login, telling him to change the password immediately. But if the users uses key based authentication, the warning is not displayed and the user can login without having to change the password. As from my understanding, this should be handeld by pam - but unfortunately doesn't this work as expected. My Configuration of the client looks as follow: # cat /etc/ldap.conf base dc=internal,dc=ch binddn uid=proxyusr,dc=internal,dc=ch bindpw <password> port 389 scope sub timelimit 120 bind_timelimit 120 bind_policy soft idle_timelimit 3600 pam_filter objectclass=posixaccount pam_login_attribute uid pam_password clear pam_password_prohibit_message Please visit http://internal to change your password. nss_base_passwd ou=People,dc=internal,dc=ch?one nss_base_shadow ou=People,dc=internal,dc=ch?one nss_base_group ou=Groups,dc=internal,dc=ch?one nss_base_netgroup ou=Netgroup,dc=internal,dc=ch?sub nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,n scd,gdm uri ldap://<LDAP Server>/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 debug 0 # cat /etc/nsswitch.conf passwd: compat shadow: compat group: compat passwd_compat: ldap shadow_compat: ldap group_compat: ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: ldap publickey: nisplus automount: files ldap aliases: files nisplus # cat /etc/pam.d/system-auth auth required pam_env.so debug auth sufficient pam_unix.so nullok try_first_pass debug auth requisite pam_succeed_if.so uid >= 500 quiet debug auth sufficient pam_ldap.so use_first_pass debug auth required pam_deny.so debug account sufficient pam_succeed_if.so uid < 500 quiet debug account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_unix.so broken_shadow debug password requisite pam_cracklib.so try_first_pass retry=3 debug password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok debug password sufficient pam_ldap.so use_authtok debug password required pam_deny.so debug session required pam_limits.so debug session required pam_unix.so debug session optional pam_ldap.so debug # cat /etc/ssh/sshd_config Port 22 Protocol 2 ListenAddress <address> HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTHPRIV LogLevel DEBUG PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server I'd really appreciate if somebody could help me out with this, as I have tried almost everthing - debug mode from sshd only tells me that when using key based authentication the password is not expired, but if no key is used, the system promps immediately the password change message. Thanks and all the best, Simon _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
