expired password prompt at ssh login

niyazi · August 18, 2010, 3:23am

Hi,

I am using DSEE 6.3 to authenticate and authorize my Solaris 9 and 10 users. Everything works fine except password expiration. I use built-in global password policy for all users. The policy works well. However I could not find the right pam configuration in order to prompt users at ssh login for the expired password. Users can login to the servers even their password is expired. I found login_limit pam module but it seems to be not installed by default on Solaris systems. Any idea how to overcome this issue ?

Thanks,

citaylor · August 18, 2010, 4:46am

Sorry, stupid question, but has the sshd_config got "UsePAM" configured ?

If it hasnt, then configure it, restart sshd and try again.
If it is then you should be able to find out which module is allowing access by debugging the "account" section of your pam.conf.

Make a copy of the pam.conf, and then add " debug" to the end of the "account" lines and make sure you enable auth.debug in your syslog.conf. Then when you logon you should see in the syslog messages from each PAM module.

I hope this helps...

ygemici · August 26, 2010, 3:43am

are you configure all ?

 
# /etc/ldap.conf 
pam_lookup_policy yes
pam_password exop

 
# /etc/ssh/sshd_config 
UsePAM yes
PAMAuthenticationViaKbdInt yes

enable and for exa set 90 days for expired passwds

 
# /yourpathdirserver/confdir/passwordpolicy.ldif
dn: cn=config
changetype: modify
add: passwordExp
passwordExp: on
-
add: passwordMaxAge
passwordMaxAge: 7776000

and apply

# ldapmodify -D "cn=directory manager" -w password -f /yourpathdirserver/confdir/passwordpolicy.ldif

regards
ygemici