=================================== MPI Password expiration comparison: =================================== Series of tests showing configuration and tests of openldap password expiration functionality. Test 1: Password reset by admin w/o user ssh key: ================================================== * Current user, aa: :: # ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa userPassword: {SSHA}yTycX2lwFYyOth5m02qcD4RTwTZlFdID pwdChangedTime: 20140119214749Z shadowMax: 7 * Reset password and force change: :: # ldap -r -user aa -p 1changeme -f User password reset w/force option: aa # ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa shadowMax: 7 userPassword: {SSHA}fvFjj4AsXnEaQcKrMCm9XKa2vcLCXINf pwdChangedTime: 20140310230231Z pwdReset: TRUE * Access the host client3 as user aa to verify password change is forced: :: # Prove there are no keys for user aa on client3: # h client3 # grep -i ^authorizedkeys /etc/ssh/sshd_config AuthorizedKeysFile /etc/sshkeys/authorized_keys.%u # ll /etc/sshkeys total 24 drwxr-xr-x. 2 root root 4096 Dec 31 12:29 ./ dr-xr-xr-x. 117 root root 12288 Mar 8 15:48 ../ -rw-r-----. 1 root admin 1167 Dec 31 12:29 authorized_keys.dkoleary -rwxr-x---. 1 root sys 834 Dec 31 12:29 authorized_keys.root* # Now, access aa@client3 and go through pwd update process: # h ldapsvr # ssh -l aa client3 aa@client3's password: Password expired. Change your password now. Creating home directory for aa. WARNING: Your password has expired. You must change your password now and login again! Changing password for user aa. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to client3 closed. # ssh -l aa client3 aa@client3's password: Last login: Mon Mar 10 18:05:06 2014 from ldapsvr /usr/bin/xauth: creating new authority file /home/aa/.Xauthority [aa@client3 ~]$ Test 2: Password reset with user ssh key: ========================================= * Configure ssh key and verify access before resetting password: :: # h client3 # cp /etc/sshkeys/authorized_keys.root /etc/sshkeys/authorized_keys.aa # chgrp ldap-users /etc/sshkeys/authorized_keys.aa # h ldapsvr # ssh -l aa client3 hostname client3 * Reset pwd for account aa: :: # ldap -r -user aa -p 1changeme -f User password reset w/force option: aa # ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa shadowMax: 7 userPassword: {SSHA}AaXQmf4wg69tQa2zpMHoTKaplMYIkaiW pwdChangedTime: 20140310231325Z pwdReset: TRUE * Access the host client3 as user aa to verify password change is forced: :: # h ldapsvr # ssh -l aa client3 Last login: Mon Mar 10 18:05:24 2014 from ldapsvr [aa@client3 ~]$ No password change forced. That's not good.