MPI Password expiration comparison:¶
Series of tests showing configuration and tests of openldap password expiration functionality.
Test 1: Password reset by admin w/o user ssh key:¶
Current user, aa:
# ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa userPassword: {SSHA}yTycX2lwFYyOth5m02qcD4RTwTZlFdID pwdChangedTime: 20140119214749Z shadowMax: 7
Reset password and force change:
# ldap -r -user aa -p 1changeme -f User password reset w/force option: aa # ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa shadowMax: 7 userPassword: {SSHA}fvFjj4AsXnEaQcKrMCm9XKa2vcLCXINf pwdChangedTime: 20140310230231Z pwdReset: TRUE
Access the host client3 as user aa to verify password change is forced:
# Prove there are no keys for user aa on client3: # h client3 # grep -i ^authorizedkeys /etc/ssh/sshd_config AuthorizedKeysFile /etc/sshkeys/authorized_keys.%u # ll /etc/sshkeys total 24 drwxr-xr-x. 2 root root 4096 Dec 31 12:29 ./ dr-xr-xr-x. 117 root root 12288 Mar 8 15:48 ../ -rw-r-----. 1 root admin 1167 Dec 31 12:29 authorized_keys.dkoleary -rwxr-x---. 1 root sys 834 Dec 31 12:29 authorized_keys.root* # Now, access aa@client3 and go through pwd update process: # h ldapsvr # ssh -l aa client3 aa@client3's password: Password expired. Change your password now. Creating home directory for aa. WARNING: Your password has expired. You must change your password now and login again! Changing password for user aa. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to client3 closed. # ssh -l aa client3 aa@client3's password: Last login: Mon Mar 10 18:05:06 2014 from ldapsvr /usr/bin/xauth: creating new authority file /home/aa/.Xauthority [aa@client3 ~]$
Test 2: Password reset with user ssh key:¶
Configure ssh key and verify access before resetting password:
# h client3 # cp /etc/sshkeys/authorized_keys.root /etc/sshkeys/authorized_keys.aa # chgrp ldap-users /etc/sshkeys/authorized_keys.aa # h ldapsvr # ssh -l aa client3 hostname client3
Reset pwd for account aa:
# ldap -r -user aa -p 1changeme -f User password reset w/force option: aa # ldap -search uid=aa ------------------------------------------------------------------------ dn:uid=aa,ou=users,dc=oci,dc=com cn: aa gecos: aa test user objectClass: top account posixAccount shadowAccount shadowMin: 0 shadowWarning: 7 loginShell: /bin/bash uidNumber: 602 gidNumber: 614 homeDirectory: /home/aa uid: aa shadowMax: 7 userPassword: {SSHA}AaXQmf4wg69tQa2zpMHoTKaplMYIkaiW pwdChangedTime: 20140310231325Z pwdReset: TRUE
Access the host client3 as user aa to verify password change is forced:
# h ldapsvr # ssh -l aa client3 Last login: Mon Mar 10 18:05:24 2014 from ldapsvr [aa@client3 ~]$
No password change forced. That’s not good.