Claudio Di Nardo | 27 Sep 15:24 2011
Picon

dirsrv, SSH and forcing password change at first login

Hi all,

I've got four LDAP servers up and running in multi-master configuration. Everything works fine, including ACIs, password policies, but I've got a problem in forcing users to change their passwords at first successful login.
I tried both methods "passwordMustChange: on" on the Password Policy Container and "passwordExpirationTime: 19700101000000Z" as attribute and value of the user, but with no luck. User is still able to login even after a password reset.
I tried to Google for this problem - of course! - I made some modification to PAM subsystem, (pam.d/* configuration files), nsswitch.conf and sshd_config, (challenge-response auth).
I even tried to dig for some useful and unknown to me PAM module, but nothing did the trick, so I reverted everything to the original configuration.
I'm sure the Password Policy works because if I try to forcibly change my password as an LDAP SSH-connected user - with passwd - it applies all the checks I setup in Password Policy, (syntax and all the rest). But why, then, this particular feature doesn't work?
Please can you give me a clue, if you have it? :)
PAM/NSS could be the responsible?

Here are some specs of the software used:

RHEL Server 5.4 "Tikanga"
Kernel 2.6.18-164.el5
DS 8.2.0-2
PAM, SSHD, and all the rest are factory-default in Tikanga :)


Thanks
Claudio

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Joe Friedeggs | 28 Sep 03:48 2011
Picon

RE: dirsrv, SSH and forcing password change at first login

I had the same issue on Red Hat (see https://www.redhat.com/archives/pam-list/2009-October/msg00031.html).  I found a couple of work-arounds, but the ultimate solution was set the following in /etc/ldap.conf (nss/pam ldap config):

pam_password exop


Thanks,
Joe

Date: Tue, 27 Sep 2011 15:24:51 +0200
Subject: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo <at> gmail.com
To: pam-list <at> redhat.com

Hi all,

I've got four LDAP servers up and running in multi-master configuration. Everything works fine, including ACIs, password policies, but I've got a problem in forcing users to change their passwords at first successful login.
I tried both methods "passwordMustChange: on" on the Password Policy Container and "passwordExpirationTime: 19700101000000Z" as attribute and value of the user, but with no luck. User is still able to login even after a password reset.
I tried to Google for this problem - of course! - I made some modification to PAM subsystem, (pam.d/* configuration files), nsswitch.conf and sshd_config, (challenge-response auth).
I even tried to dig for some useful and unknown to me PAM module, but nothing did the trick, so I reverted everything to the original configuration.
I'm sure the Password Policy works because if I try to forcibly change my password as an LDAP SSH-connected user - with passwd - it applies all the checks I setup in Password Policy, (syntax and all the rest). But why, then, this particular feature doesn't work?
Please can you give me a clue, if you have it? :)
PAM/NSS could be the responsible?

Here are some specs of the software used:

RHEL Server 5.4 "Tikanga"
Kernel 2.6.18-164.el5
DS 8.2.0-2
PAM, SSHD, and all the rest are factory-default in Tikanga :)


Thanks
Claudio

_______________________________________________ Pam-list mailing list Pam-list <at> redhat.com https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Claudio Di Nardo | 28 Sep 14:41 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi Joe,

thanks for your reply. I tried your work-around, but unfortunately nothing changes. In fact, I still can't get the user to be asked to change his password after the first successful login. I also took a look at the entire ldap.conf file, looking for potentially interested directives, (as pam_lookup_policy for example), but everything seems OK.
Furthermore, I checked the status of the authentication settings on the client with authconfig --test

------------------------------------------------------------------------------------------------------------------------

nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldaps://xxx.xxx.xxx.xxx/ldaps://xxx.xxx.xxx.xxx/"
 LDAP base DN = "dc=xxx,dc=xxx"

------------------------------------------------------------------------------------------------------------------------

As you can see, for the authentication sub-system LDAP+TLS is DISABLED. But I can assure you that LDAP servers only listen on 636 and that LDAP tools queries, (ldapmodify, ldapsearch...), only take place if a certificates database is present, as well as LDAP authentication over SSH only take place if the .pem certificate is presente in /etc/openldap/cacerts :)
My hypothesis now is: as you may know, passwords and encrypted communications are strictly tied between them, (e.g. Error 53: DSA is unwilling to perform. LDAP server refuses to change passwords if a minimum level of security is not assured). The fact that for NSS/PAM there's no TLS in communications with LDAP server - even if, in fact, there IS - could maybe result in this strange behavior?
I experienced anyway, during the installation and configuration, that the tool authconfig must be a little buggy, and sometimes feeding it with CORRECT informations at configuration time will result at the end in wrong settings to the PAM/NSS subsystems. So i always prefer to manually edit the files instead of use this tool.
I'll try to change some settings in this tool to make it work and to make it recognize that TLS is enabled and keep you updated.
For now, thanks anyway :)

Claudio

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Claudio Di Nardo | 29 Sep 15:54 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx

Remote kickstart on 2011-03-07

ldap-user <at> ldap-client:[/home/ldap-user]#

as well as

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Joe Friedeggs | 29 Sep 22:29 2011
Picon

RE: dirsrv, SSH and forcing password change at first login

Out of curiosity, is it working with md5?

In /etc/ldap.conf: pam_password md5 pam_lookup_policy yes  
Thanks,
Joe

Date: Thu, 29 Sep 2011 15:54:01 +0200
Subject: Re: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo <at> gmail.com
To: pam-list <at> redhat.com

Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx

Remote kickstart on 2011-03-07

ldap-user <at> ldap-client:[/home/ldap-user]#

as well as

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio

_______________________________________________ Pam-list mailing list Pam-list <at> redhat.com https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Claudio Di Nardo | 30 Sep 00:02 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi Joe,


yes. It worked with MD5. Then I switched to SHA512 to increase security, and no problems. You can even set the password scheme on a per-user base. At that point the encryption scheme is transparent to PAM and NSS.

Claudio
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
D G Teed | 30 Sep 21:12 2011
Picon

pam_lastlog and cyrus imap

My cyrus uses saslauthd, which uses pam.
Everything is working OK.

Wanted to use lastlog to be able to prune out unused accounts.

Have only this for session entry in /etc/pam.d/imap

session     required	  pam_lastlog.so silent

I login over imap, and nothing new appears from last command.

Am I doing this wrong, or does cyrus/saslauthd need
something to support lastlog?

Gmane