Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server'
, and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent
if you want to try keeping your keys protected with a passphrase.
I found a solution:
In the users LDAP entry, setShadowLastChange = 0
This will force the user to have to reset their LDAP password. However, there is also another bug, you then have to modify the permissions (ACL's) on the LDAP server (I had the default one of Allow Self entry modification
on OU=People) to also allow them to modify the target ShadownLastChange
.
Otherwise, they can't change the value, and it stays at zero, forcing them to redo their password every time they login.
Best Answer
I don't know how the current Ubuntu packages do the initial OpenLDAP setup but both in 10.04 and 12.04 that process didn't account very well for cn=config. If set you should find the password in the attribute
olcRootPW
in/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
(it's probably base64 encoded).To change the password use
ldapmodify
as root. Save this as an LDIF filerootpw_cnconfig.ldif
:Note: In order to change the root password on CentOS7 use
dn: olcDatabase={2}hdb,cn=config
instead ofdn: olcDatabase={0}config,cn=config
.Obviously set your password to something other than
foobar123
. Then runldapmodify
:This presumes that the LDAP server and the
cn=config
database can be accessed using the ldapi protocol (-H ldapi:///
) and that external SASL authentication (-Y EXTERNAL
) is enabled and working, which it should by default on new OpenLDAP setups in Debian and Ubuntu. If you look at/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
it should contain an attributeolcAccess
: