PDA

View Full Version : SLES 12 SP4 Locking accounts and still allowing ldap logins?



skunkboy
15-Mar-2019, 19:05
Hello,

So, up til SLES12sp3, we could create an account on box which was configured for ldap authentication, and when we locked the account they could still
ssh into the box. Now with SLES12sp4 that not longer appears to be the case. If I lock and account it cannot login at all. If I set a junk password ldap
logins work again. Any suggestions on how to not set a local password, but still allow ldap logins?

2019-03-15T13:50:41.961114-04:00 box2 sshd[25190]: error: PAM: User account has expired for user from 164.76.1.1 ?

If I set an expire date in the future I get the same message, I though a 0 for expire date was a never expire??

Thanks,
Matt

Automatic Reply
20-Mar-2019, 05:30
skunkboy,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com

AndreasMeyer
20-Mar-2019, 17:03
Check your configuration files for login/authentification to SSH server.

Configuration files for login/authentification to SSH server (sshd) are:

/etc/ssh/sshd_config
/etc/pam.d/sshd

For a description of all configuration parameters for login/authentification to SSH server (sshd) read:

# man sshd_config
# man pam
# man pam.d
https://forums.suse.com/showthread.php?12955-How-to-secure-ssh-accessible-from-the-internet&p=55830#post55830

Interesting configuration parameters in /etc/ssh/sshd_config are:

GSSAPIAuthentication
UsePAM
PubkeyAuthentication
HostbasedAuthentication
PasswordAuthentication
ChallengeResponseAuthentication
KbdInteractiveAuthentication
KerberosAuthentication
KerberosOrLocalPasswd
PermitEmptyPasswords
PermitRootLogin

AndreasMeyer
20-Mar-2019, 17:14
ArchWiki is an interesting source of Linux information:

https://wiki.archlinux.org/index.php/OpenSSH

https://wiki.archlinux.org/index.php/PAM

https://wiki.archlinux.org/index.php/LDAP_authentication

skunkboy
20-Mar-2019, 19:50
For some reason I didn't get an email for these replies so didn't read them until now.

Looking at a box that was upgraded from 12sp3 to 12sp4 and the box upgraded from 11sp4 tp 12sp4, in /etc/pam.d/common_account
I notice a big difference...

from the 12sp3 box....
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass

from the 11sp4 box...
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass


changing the 11sp4 config for the 12sp3 config fixes the issue, with a systemctl restart sshd

Thanks!
Matt