-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password expiry for users without password should not block SSH key based login #681
Comments
Thanks for this great summary!
Agreed. We already have this and it didn't help.
I think, we should implement this anyway. We may get in unexpected situations with that, when one user works and the other doesn't - but that's a trade-off I'd do.
When SSH only allows PubKey-Auth, I don't really see a security-problem here. What do you think? And according to one answer, the pam-functionality is not included in ubuntu 18.04 (we'd have to verify).
I don't see a good way to do this. My proposal:
|
I did some tests with the proposed see: https://www.man7.org/linux/man-pages/man8/pam_unix.8.html
|
Description
We are setting a maximum password age in
/etc/login.defs
. This automatically applies to all created users and also affects users without a password, eg. when creating a user to use for SSH key based login. The login will stop working afer the maximum password age has been reached.see:
ansible-collection-hardening/roles/os_hardening/templates/etc/login.defs.j2
Line 107 in 0e173b4
Playbook for creating an affected user:
user without password has a expiry date and SSH login will fail, once the date has been reached:
Solution
Key based SSH login shoud keep working for all users. Currently we create the potential for our users to lock themselves out of their systems after the password expiry date is reached.
Alternatives
There are several possible solutions to this. The main Problem boils down to this being an issue with communication between PAM and OpenSSH. I see several courses of action:
os_users_without_password_ageing
to actively disable password ageing for specific users. This may be missed and is hard to keep up-to-dateansible-collection-hardening/roles/os_hardening/tasks/user_accounts.yml
Lines 34 to 45 in 0e173b4
Additional information
The interaction between PAM and OpenSSH is a bit complicated. A good and short explaination can be found here: https://unix.stackexchange.com/questions/160268/expired-password-and-ssh-key-based-login-with-usepam-yes/160321#160321
The text was updated successfully, but these errors were encountered: