DS 6.3 ssh key and password expiration warnings

Similar Messages

• Reseting SSH username and password

  Hi,
  I have configured Cisco Secure ACS  (Version: 5.3.0.40.6).I am able to login with web access.
  I forgot my ssh credential, Can any one tell me how to reset ssh username and password?
  Or how can we configure through web access?
  Thanx
  Arjun

  jasonwryan wrote:...and then wait to get hacked.
  Sure, but this wasn't the point .
  jasonwryan wrote:Seriously, set up public key authentication: it is simple and works like a charm on Android.
  100% ACK.
  Last edited by Tarqi (2014-03-27 01:58:36)

• I have another account that i can't delete off my phone because lost my recovery key and password. How do i get rid of this account? it will not let me turn off find my iphone and delete account. Can anyone help?

  I have another account that i can't delete off my phone because lost my recovery key and password. How do i get rid of this account? it will not let me turn off find my iphone and delete account. Can anyone help?

  Hello aweirandyski.1975,
  Thanks for using Apple Support Communities.
  From what you're describing appears to be Activation Lock, a security measure provided by Apple that makes it harder for people to use a lost or stolen device.  You will need to enter the password for the Apple ID the device is prompting you for.
  iCloud: Activation Lock
  http://support.apple.com/kb/PH13695
  Take care,
  Alex H.

• WLC 4402 username and password expires automatically

  Hi,
  We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
  Whether it is the hardware issue or software bug.
  Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
  Kindly suggest on this issue.
  Regards
  S.Manikandan

  Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
  I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
  Regards
  Surendra

• Setup advice for rsync, ssh keys and launchd - all for remote webserver backup

  Hi There,
  This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
  rsync
  I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
  sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
  I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
  Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
  launchd
  While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
  http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
  I'm guessing I need to:
  Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
  Create a launchd Property List File that will run the script at certain times
  Somehow register the Property List File with launchd so it runs
  Or maybe I should just use Automator and iCal?
  I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
  Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
  Any help or suggestions would be much appreciated.
  Cheers
  Ben

  Hi There,
  This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
  rsync
  I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
  sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
  I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
  Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
  launchd
  While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
  http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
  I'm guessing I need to:
  Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
  Create a launchd Property List File that will run the script at certain times
  Somehow register the Property List File with launchd so it runs
  Or maybe I should just use Automator and iCal?
  I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
  Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
  Any help or suggestions would be much appreciated.
  Cheers
  Ben

• DS 6.2 and password expiration

  Hello,
  I'm having problems enforcing password expiration with DSEE. We have two Solaris 10 DSEE 6.2 servers configured with multi-master replication. The clients are running Solaris 8 (117350-47 Jun 2007 kernel patch level), and are using pam_ldap authentication.
  Using either telnet (just as a test) or ssh to login, I don't receive warnings of password expiration, nor is the account locked after passwordExpirationTime is exceeded.
  As an example, I can still authenticate as a user with this passwordExpirationTime:
  passwordExpirationTime=20071123163438Z
  The following is our DSEE password policy:
  pwd-accept-hashed-pwd-enabled : off
  pwd-check-enabled : on
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 4w
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : on
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : on
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : 12w6d
  pwd-max-failure-count : 4
  pwd-max-history-count : 3
  pwd-min-age : 1w
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : SSHA
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : on
  pwd-strong-check-require-charset : any-three
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : on
  Am I missing something obvious in the DSEE password policy? Would any other information be helpful in troubleshooting, such as /etc/pam.conf, patch levels of other packages, etc.?
  Thanks!

  If your DS6 instance is in DS5-compatible-mode (see above references), passwordExpirationTime is not ignored; however, please note that modifying server operational attributes via protocol has never been supported.
  A supported way to force a user to change his or her password (without administratively resetting the password) would be to define a specialized password policy with a small max-age value (but maintaining the relationship pwdMinAge+pwdExpireWarning<pwdMaxAge), and use Roles/CoS to scope the policy to the user entry that requires a password change, but for which the password has not yet been changed. A value of pwdChangedTime in the past (or its absence from the entry) would indicate that the password had not yet been changed as requested. If the DS6 instance is in DS5-compatible-mode, you will need to enable grace logins via passwordWarning in the policy, while if the DS6 instance is in DS6-migration-mode or DS6-mode, you will also need to enable grace logins via pwdGraceAuthNLimit in the policy. Otherwise, the user cannot bind with an expired password.
  OpenDS includes a "must-change-by" feature in the password policy that simplifies configuring the specialized password policy, but I'm not aware of any plans to add this feature to DS6.

• Ssh keys and gnupg keys from wiki instructions...

  following first the gnupg instructions and then ssh keys I've managed to get several instances of gpg-agent running.
  [root@frylock ~]# ps aux | grep agent
  root 2764 0.0 0.0 4208 432 ? Ss 11:15 0:00 ssh-agent
  xtian 2785 0.0 0.1 3500 972 ? Ss 11:18 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /home/frylock/xtian/.gnupg/gpg-agent.env
  root 2958 0.0 0.0 3168 688 ? Ss 11:39 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /root/.gnupg/gpg-agent.env
  root 3036 0.0 0.0 4740 392 ? Ss 11:43 0:00 gpg-agent --daemon
  root 3186 0.0 0.0 4740 388 ? Ss 11:53 0:00 gpg-agent --daemon
  root 3299 0.0 0.0 4740 388 ? Ss 11:58 0:00 gpg-agent --daemon
  root 3549 0.0 0.0 4740 392 ? Ss 12:54 0:00 gpg-agent --daemon
  This I can resolve by going back over the instructions--a fifth time. But what I don't understand, why my user account owner of a running process when I'm only logged in one tty as root?
  //EDIT: Clarify the login scenario
  // EDIT: the code block is cutting off line
  Last edited by xtian (2013-09-07 14:20:00)

  xtian wrote:
  cfr wrote:For example, I don't include the code in ~/.xinitrc or in /etc/profile.d precisely because I'm starting the agent somewhere else.
  That's just it. I'm not starting it somewhere else. According to the wiki, its being called from .xinitrc and that's where the call is made to the script in profile.d, I think. Unless the script in /etc/profile.d is starting the script automatically?? I don't know.
  Yes. The script you have in /etc/profile.d will start it automatically. I have a similar script in /etc/kde/env and that is all I use. I don't need anything in ~/.xinitrc (or kde's autostart stuff or whatever).  At least, this is true provided those scripts are sourced. What you definitely do not want is the line you currently have in ~/.xinitrc which does not check to see if an instance of gpg-agent is already running.
  This is what I use:
  $ cat /etc/kde/env/gpg-agent-startup.sh
  #!/bin/sh
  # see https://wiki.archlinux.org/index.php/SSH_Keys
  GPG_AGENT=/usr/bin/gpg-agent
  ## Run gpg-agent only if not already running, and available
  if [ -x "${GPG_AGENT}" ] ; then
  # check validity of GPG_SOCKET (in case of session crash)
  GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
  GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
  if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  else
  GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
  if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  fi
  fi
  unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
  fi
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  eval "$(cat "${GPG_AGENT_INFO_FILE}")"
  eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
  export GPG_TTY=$(tty)
  else
  eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
  fi
  fi
  In any case, your script should check for the environment file and only start an instance of the agent if it doesn't exist.
  I'ts not my script. I'm not up on BASH scripts. This one is from the wiki page. Isn't this script checking just that in this IF clause:
  if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
  eval "$(cat "$envfile")"
  Yes. But the line you have in ~/.xinitrc does NOT check this. It just starts an instance of gpg-agent as a daemon.

• Bit Locker Data retrieval forgot key and password

  Hi All,
  I am using Windows 7 utlimate version and unfortunately i forgot my password and key as a result of which i cannot retrieve my data .
  Can anyone please tell how to recover data without using password and recovery key

  Hello,
  As far as I know it will be difficult to achieve this.
  Indeed if there's another way to do this, it means that there's a security hole on this protection.
  Regards,
  Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) :
  http://security.sakuranohana.fr/

• Hyperion, Oracle, and password expirations ???

  We're currently in the process of trying to change our password policy for some reporting databases we have that are only accessed by users (non-developers) for developing hyperion reports using the desktop client software. We've set up an Oracle warning message to be generated when the user's password is going to expire in 5 days. When logging in through the OCE, the user sees this message, but it never actually logs the user in... it shows the message, and then redisplays the login popup. I'd like for them to be able to login and then use their Connections Manager to change the database password, but it won't let them log in.
  Has anyone encountered this problem before and possibly know of a solution or workaround? I'm assuming the Hyperion client software is taking any return code other than 0 for login as a failure...

  If you need an encrypted connection to Essbase then you should use Smartview over https.
  1) The Excel-Addin connection is not encrypted -- you can definitely see member information with a packet trace and with some time could probably figure out how to decipher the numeric data. The password to connect with did seem to have some level of encryption -- Hyperion would need to answer anything further as this is not documented.
  2) The lockout mechanism depends on the user directory provider you chose. To my knowledge the native directory has not capabilities for user lockout. If you chose to use say Active Directory or another system then the those items are configured in that user directory and you would need to speak with the specific directory administration team regarding the lockout mechanisms.
  Regards,
  -John

• [SOLVED] a problem with gpg-agent and ssh keys

  I'm baffled by a strangle problem:
  My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
  The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
  So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
  Thanks.
  Last edited by bender02 (2010-02-15 09:52:54)

  Thats a known bug with the new gpg version.
  http://lists.gnupg.org/pipermail/gnupg- … 38045.html
  You could use an older version of gpg or use a development version.

• How to arrive Password expiration situation in Cisco Router

  Hi,
     i have to test something on cisco router so i have to achieve this following scenario :-
  I am trying to login using ssh username & passoword. so i need to expire this username & password on router.
  Anybody tell me how to get this situation in my cisco router.
  Thanks,
  Pranay

  Pranay,
  Here is a guide on configuring the SSH username and password on your Cisco device:
  http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
  You will need to setup the VTY lines, as well as setup a password in order for this to work.
  Judging from the screen shot, you will need to run the commands listed in Global Configuration mode. (configure terminal)
  Example:
  Router#config t
  Router(config)# username Pranay priviledge 15 secret 0 yourpassword
  I hope this helps. Please let me know if you need further assistance.
  Wes

• DS 6.3 password expiration oddities

  I have been exploring an upgrade from DS5.2 to DS 6.3 to take advantage of the enhanced password policies and password expiration that have never worked quite right in DS5.2.
  The previous 5.2 and migrated 6.3 environments both use netgroups to restrict logins to specific systems.
  This generally works very well, although I'm seeing weirdness for local system accounts.
  I've explored the forums, tweaked pam.conf and nsswitch.conf in pretty much every way that's been suggested.
  DS 6.3 is setup on Solaris 10, and my client systems are Solaris 8, with all of the latest necessary patches applied.
  nsswitch has:
  passwd: compat
  group: compat
  passwd_compat: ldap
  group_compat: ldap
  netgroup: ldap
  All local and LDAP accounts can login fine if pam.conf has:
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  But no warning messages are received from the directory server for password expiration or administrative password resets.
  If I change pam.conf to have:
  other account requisite pam_roles.so.1
  other account optional pam_ldap.so.1
  other account binding pam_unix_account.so.1 server_policy
  All users can login, password expiration warnings are received, and users are notified if the admin user resets their password, but (as expected) users aren't forced to reset their password on first login or resets.
  Using "required" or "requisite" for pam_ldap in the above stack order, disables local account logins, as they are
  prompted for LDAP passwords that they don't have.
  Any combination of settings that I've tried that successfully force resets, etc. appear to disable the ability of local accounts to login - they are prompted for LDAP password, which of course fails.
  If anyone can demonstrate a combination of nsswitch.conf and pam.conf settings that will actually allow local user login, but still enforce password policies and expiration warnings, for Solaris 8 clients, it would be greatly appreciated.

  I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
  Things work properly when I have
  passwd: files ldap
  in nsswitch.conf, but when I go to compatibility mode:
  passwd: compat
  passwd_compat: ldap
  ssh 'ignores' expiration and inactivation status of accounts.
  Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
  Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!!

• Password expire date back to 2011 from 2012  after assigned  a user profile

  Friends,
  I created a profile test as
  COMPOSITE_LIMIT UNLIMITED
  SESSIONS_PER_USER UNLIMITED
  CPU_PER_SESSION UNLIMITED
  CPU_PER_CALL UNLIMITED
  LOGICAL_READS_PER_SESSION UNLIMITED
  LOGICAL_READS_PER_CALL UNLIMITED
  IDLE_TIME 60
  CONNECT_TIME UNLIMITED
  PRIVATE_SGA UNLIMITED
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LIFE_TIME 120
  PASSWORD_REUSE_TIME           60
  PASSWORD_REUSE_MAX           30
  PASSWORD_VERIFY_FUNCTION NULL
  PASSWORD_LOCK_TIME 1
  PASSWORD_GRACE_TIME 7;
  the user default profile default PASSWORD_LIFE_TIME is 180 and password expired date is 1/7/2012. the test account was created in 7/11/2011.
  Now I assign test user to test profile successfully.
  However. expire date becomes 11/8/2011 1 from 1/7/2012 by select dba_users
  which wrong is in my profile or somewhere?
  As I think, the account password expired should be start after assigned new profile with PASSWORD_LIFE_TIME. but is seems expire date is start from original account created date.
  Thanks
  newdba
  Edited by: Oradb on May 24, 2012 1:56 PM

  I would think the expire time would be based on the last password change time which Oracle stores in the rdbms base table for user information (user$). Find a second user, alter the password, check the expire date, then assign the user to the new profile, re-check the expiration date. Post back. Behavior may vary between releases so include full Oracle version of test.
  HTH -- Mark D Powell --

• Oracle Xellerate - Account and Password Expiry

  Hi All,
  I needed a quick help on how would Oracle Xellerate Identity Provisioning enforce account and password expiration policies. Please suggest me some good supporting links.
  Thanks and Regards
  Aditi

  You should be able to get this information from the Xellerate product documentation which gets created when you install the product.
  Thanks,
  Prashant

• Ssh keys copy to remote host

  I have created some ssh keys and trying to connect to a linux remote server
  here is the command line:
  ssh-copy-id -i ~/.ssh/id.rsa.pub [email protected]
  but i get -bash: ssh-copy-id: command not found
  what is the correct command please
  tim

  ssh-copy-id is a script on Linux. Since it is just a script, if you have access to a Linux system, you should be able copy the script to your Mac and use it.
  Or you can just use
  cat ~/.ssh/id_rsa.pub | ssh [email protected] "umask 077; mkdir -p .ssh ; cat >> .ssh/authorized_keys"
  This ASSUMES that the destination [email protected] uses authorized_keys, and not authorized_keys2.
  Message was edited by: BobHarris