Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password expiry for users without password should not block SSH key based login #681

Closed
schurzi opened this issue Jun 5, 2023 · 2 comments · Fixed by #835
Closed

Password expiry for users without password should not block SSH key based login #681

schurzi opened this issue Jun 5, 2023 · 2 comments · Fixed by #835

Comments

@schurzi
Copy link
Contributor

schurzi commented Jun 5, 2023

Description

We are setting a maximum password age in /etc/login.defs. This automatically applies to all created users and also affects users without a password, eg. when creating a user to use for SSH key based login. The login will stop working afer the maximum password age has been reached.

see:

Playbook for creating an affected user:

- hosts: localhost
  roles:
    - devsec.hardening.os_hardening
  tasks:
    - name: create test user
      ansible.builtin.user:
        name: testuser

    - name: gather user info
      ansible.builtin.shell:
        cmd: "chage -l testuser"
      register: output

    - name: print info
      ansible.builtin.debug:
        msg: "{{output.stdout_lines}}"

user without password has a expiry date and SSH login will fail, once the date has been reached:

# chage -l testuser
Last password change                                    : Jun 05, 2023
Password expires                                        : Aug 04, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7

Solution

Key based SSH login shoud keep working for all users. Currently we create the potential for our users to lock themselves out of their systems after the password expiry date is reached.

Alternatives

There are several possible solutions to this. The main Problem boils down to this being an issue with communication between PAM and OpenSSH. I see several courses of action:

  • use our variable os_users_without_password_ageing to actively disable password ageing for specific users. This may be missed and is hard to keep up-to-date
  • create some new tasks to unset password ageing for all users without password. This would only work when os_hardening is applied regulary. (similar to
    - name: Set password ageing for existing regular (non-system, non-root) accounts
    ansible.builtin.user:
    name: "{{ item }}"
    password_expire_min: "{{ os_auth_pw_min_age }}"
    password_expire_max: "{{ os_auth_pw_max_age }}"
    loop: "{{ regular_users }}"
    when:
    - os_user_pw_ageing
    - regular_users is defined and (regular_users | length > 0)
    - item not in os_users_without_password_ageing
    - getent_shadow[item][0] is not match("\*") # password hashes containing illegal characters like "*" are unusable (locked) and don't need to age
    - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable (locked) and don't need to age
    )
  • make SSH ignore password expiry via PAM. This could create a security problem
  • find some way to give users a clear feedback before the accounts are locked

Additional information

The interaction between PAM and OpenSSH is a bit complicated. A good and short explaination can be found here: https://unix.stackexchange.com/questions/160268/expired-password-and-ssh-key-based-login-with-usepam-yes/160321#160321

@rndmh3ro
Copy link
Member

rndmh3ro commented Jun 9, 2023

Thanks for this great summary!

use our variable os_users_without_password_ageing to actively disable password ageing for specific users. This may be missed and is hard to keep up-to-date

Agreed. We already have this and it didn't help.

create some new tasks to unset password ageing for all users without password

I think, we should implement this anyway. We may get in unexpected situations with that, when one user works and the other doesn't - but that's a trade-off I'd do.

make SSH ignore password expiry via PAM. This could create a security problem

When SSH only allows PubKey-Auth, I don't really see a security-problem here. What do you think? And according to one answer, the pam-functionality is not included in ubuntu 18.04 (we'd have to verify).

find some way to give users a clear feedback before the accounts are locked

I don't see a good way to do this.
Maybe add a task, that checks if users exist that have no password and then fail the play. But then again we could just change the expiry as expressed above.

My proposal:

  • Create the task to unblock users without password
  • Disable the expiry-check when logging in via ssh and with PubKey.

@schurzi
Copy link
Contributor Author

schurzi commented Dec 22, 2024

I did some tests with the proposed no_pass_expiry option and the results look promising.

see: https://www.man7.org/linux/man-pages/man8/pam_unix.8.html

no_pass_expiry
When set ignore password expiration as defined by the shadow
entry of the user. The option has an effect only in case
pam_unix was not used for the authentication or it returned
authentication failure meaning that other authentication
source or method succeeded. The example can be public key
authentication in sshd. The module will return PAM_SUCCESS
instead of eventual PAM_NEW_AUTHTOK_REQD or
PAM_AUTHTOK_EXPIRED.

@schurzi schurzi changed the title Password expiry for users without password should not block SSH login Password expiry for users without password should not block SSH keybased login Dec 22, 2024
@schurzi schurzi changed the title Password expiry for users without password should not block SSH keybased login Password expiry for users without password should not block SSH key based login Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants