0

Most of the users are from an OpenDAP server, and users log in via SSH. Some users use a key to log in, some use a password.

I have set up a password policy for LDAP, so users may become locked in LDAP (by policy).

So I wonder: Can I make OpenSSH deny key logins for users that are locked in LDAP?

Likewise: OpenLDAP handles the date of last successful authentication (authTimestamp or pwdLastSuccess) to detect "idle" accounts; can I make OpenSSH to update these attributes when authenticating via key (so that the accounts won't be locked due to being "idle")?

As i understand it, OpenSSH would have to authenticate against LDAP to make the server update the attributes. Probably not possible, but anyway...

Improve this question

2 Answers 2

Reset to default
1

The one system I've used for LDAP authentication and password expiration (FreeIPA) configured sshd to invoke a helper utility program to fetch the SSH public key from LDAP so sshd could perform key-based authentication using public keys stored in LDAP rather than on local disk. The sshd was not configured to evaluate any policies from LDAP (in fact, it didn't even talk directly to LDAP). It's my belief that the stock OpenSSH sshd doesn't have the ability to evaluate account expiration policies that may be stored in LDAP.

One thing that you may want to test in your architecture is whether your expiration policies will apply to SSH public keys. When I used FreeIPA (2018-2021) its expiration and lock-out policies applied to passwords only. An account could have the password expire or be locked out (for too many failed login attempts), but SSH key authentication would still succeed.

I didn't like this and felt that an account which had one form of authentication expired/locked should not be allowed an equivalent form of authentication. But several tickets on the topic in the FreeIPA bugtrack system showed the developers didn't agree. I ended up just living with the behavior.

Improve this answer
0

Assuming you are using PAM then yes, as long as your PAM module enforces these checks and you invoke it from the account management group within your SSH server's PAM configuration.

As for updating the entries on your users' attributes: I don't think this is normally done on the machine where the user is authenticating, but rather it's done by the LDAP server that is responding to the authentication requests. But since you're using (SSH) public key authentication, the LDAP server won't be involved in the authentication step.

Improve this answer
2
  • 1
    Doesn't PAM enter the picture too late to perform key-based authentication, since the key is also used to encrypt the connection? Commented Aug 19 at 13:47
  • It's too late for authentication, but not for accounting. Commented Aug 20 at 14:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.