f



LDAP password management (aging)

I was reading the LDAP docs for Solaris 9 and found that "password
management" (password aging, expiration, even account lockout on bad
logins) was introduced in Solaris 9 12/02.

Does anyone know if these features of pam_ldap have been or are going
to be ported to earlier releases, perhaps as patches?

We are planning to move user account management to LDAP and password
aging is one of our requirements.

I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
restricted so I could not read the patch description.
If this patch introduced password management, any plans to make it
public?  Otherwise I guess we can only get it with a Maintenance
Update or service contract.

Perhaps someone can convince Sun to make the patch public since
password aging can be associated with security?  (I know some think
password aging is a bad idea because it encourages users to write them
down, etc, but in some cases it is a good thing).

Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
aging and it is a free patch.

Anyway, in a related note I find it interesting that "account lockout"
has been introduced.  I know most of us believe that locking a user
account after # failed login attempts is a Very Bad Idea (TM), but
every once in a while someone asks if this can be done in Solaris
(usually by request of a PHB), and the answer has usually been (in
addition to "don't do it"), that Solaris does not support it unless
the user writes her own PAM module... I guess now we can tell them
to use pam_ldap.


http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
"The following password management features are supported through 
pam_ldap(5).

[snip]

       User account lockout
       A user account can be locked out after a given number of repeated 
authentication failures. A user can also be locked out if his account is 
inactivated by an administrator. Authentication will continue to fail 
until the account lockout time is passed or the administrator 
reactivates the account."


0
delrio (67)
7/14/2003 8:52:54 PM
comp.unix.solaris 26022 articles. 2 followers. Post Follow

6 Replies
717 Views

Similar Articles

[PageSpeed] 22

In article <3F131826.7060403@mie.utoronto.ca>,
 Oscar del Rio <delrio@mie.utoronto.ca> wrote:

> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
> 
> 

This feature is closer to what I recall as "security intrusion".  The 
account login is disabled for a specific time, then it works again, 
unless an admin reactivates the account before the specific time is up.  
VMS did this.  It's a really a Good Thing(tm).

What you've been referring to as "account lockout" is where the account 
is _permenently_ disabled from access after, say, 3 failed login 
attempts.  It would require a security manager or sysadmin to re-enable 
the account.  This could lead to denial of service attack and is a Bad 
Thing(tm) (unless you make the PHB who required it the point of 
contact...).  VMS had this as well.

I still thing you need a pam module to do "account lockout" unless you 
can specify a really long time on a per-account basis rather than only 
system-wide.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
7/14/2003 9:34:22 PM
Oscar del Rio <delrio@mie.utoronto.ca> writes:
>I was reading the LDAP docs for Solaris 9 and found that "password
>management" (password aging, expiration, even account lockout on bad
>logins) was introduced in Solaris 9 12/02.
>
>Does anyone know if these features of pam_ldap have been or are going
>to be ported to earlier releases, perhaps as patches?
>

Solaris 9:  Patch 112960-07

   (from 112960-03)
 
    4357827 pam_ldap should fully support password aging


Solaris 8:  Patch 108993-22

   (from 108993-14)
  
   4357827 pam_ldap should fully support password aging


  -Greg
-- 
Do NOT reply via e-mail.
Reply in the newsgroup.
0
gerg
7/14/2003 10:40:54 PM
> >        User account lockout
> >        A user account can be locked out after a given number of repeated
> > authentication failures. A user can also be locked out if his account is
> > inactivated by an administrator. Authentication will continue to fail
> > until the account lockout time is passed or the administrator
> > reactivates the account."
> >
> >
>
> This feature is closer to what I recall as "security intrusion".  The
> account login is disabled for a specific time, then it works again,
> unless an admin reactivates the account before the specific time is up.
> VMS did this.  It's a really a Good Thing(tm).

How can that be a Good Thing (tm)?
What would stop anyone from writing a script that disables your account
every 5 minutes (or whatever time interval the account is reactivated)?


0
Oscar
7/15/2003 12:24:18 PM
In article <HI2FzA.8Go@mie.utoronto.ca>,
 "Oscar del Rio" <delrio@mie.utoronto.ca> wrote:

> > >        User account lockout
> > >        A user account can be locked out after a given number of repeated
> > > authentication failures. A user can also be locked out if his account is
> > > inactivated by an administrator. Authentication will continue to fail
> > > until the account lockout time is passed or the administrator
> > > reactivates the account."
> > >
> > >
> >
> > This feature is closer to what I recall as "security intrusion".  The
> > account login is disabled for a specific time, then it works again,
> > unless an admin reactivates the account before the specific time is up.
> > VMS did this.  It's a really a Good Thing(tm).
> 
> How can that be a Good Thing (tm)?
> What would stop anyone from writing a script that disables your account
> every 5 minutes (or whatever time interval the account is reactivated)?

There are certain accounts I wouldn't enable this on and I hope that a 
feature of this new capability.  Depends on how paranoid you wanna be or 
are told to be by a PHB.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
7/15/2003 7:04:26 PM
In article <6scRa.10156$6a3.120577@twister.rdc-kc.rr.com>, no.s.p.a.m-
dave57@127.0.0.1 says...
> 
> "Oscar del Rio" <delrio@mie.utoronto.ca> wrote in message > How can that be
> a Good Thing (tm)?
> > What would stop anyone from writing a script that disables your account
> > every 5 minutes (or whatever time interval the account is reactivated)?
> 
> What you do is go into the logs and find out who did such a thing and stop
> them either by a firewall or whatever.  If it is from the inside,
> termination works well.
> 
> 
> 
As long as it is termination by beheading. Someone mucking about like 
that would deserve it.

-- 
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)
0
Mike
7/17/2003 12:12:39 PM
We were one of the companies that really pushed Sun to make this patch
but to be honest with you I'm not impressed by this patch.

The new patch makes Solaris 8 LDAP authentication to work exactly like
Solaris 9. There's nothing wrong with that except that all the tools I
wrote for creating profiles, proxyagents etc are not compatible with
the new structure.

Rgds,
JTE

Oscar del Rio <delrio@mie.utoronto.ca> wrote in message news:<3F131826.7060403@mie.utoronto.ca>...
> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
0
jamal
7/17/2003 8:19:46 PM
Reply: