Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify PAM to allow SSH key based logins with locked passwords #835

Merged
merged 6 commits into from
Dec 23, 2024

Conversation

schurzi
Copy link
Contributor

@schurzi schurzi commented Dec 22, 2024

Add PAM option to skip password expiry checks when other auth mechanisms are used. Also added some tests to verify that plain password logins till trigger the warnings and blocks from pasword expiry.

This solutions works for all supported Linux distributions and should not genereate problems. IT will only work thou when our users also apply our suggestion for PAM configuration.

If everything is left to defaults the configuration will work with our roles and solve the standing problem of user accounts being locked out while still having a valid SSH key.

One minor open problem:
For Suse we directly modify PAM configuration, this is theoretically not supported and might be overwritten by pam-config if the user updates settings.

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
@schurzi schurzi changed the title Modify PAM to allow SSH Key logins with locked passwords Modify PAM to allow SSH keybased logins with locked passwords Dec 22, 2024
@schurzi schurzi changed the title Modify PAM to allow SSH keybased logins with locked passwords Modify PAM to allow SSH key based logins with locked passwords Dec 22, 2024
@schurzi schurzi marked this pull request as ready for review December 22, 2024 23:36
@schurzi schurzi requested a review from rndmh3ro December 22, 2024 23:36
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
@schurzi schurzi merged commit c53e8bc into master Dec 23, 2024
81 checks passed
@schurzi schurzi deleted the ssh_locked branch December 23, 2024 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Password expiry for users without password should not block SSH key based login
2 participants