6

I am working in an environment where I have an account on multiple linux machines where accounts and passwords are managed independently (no active directory/LDAP/etc) and passwords expire every 30 days. As such, I thought it would be easier to manage my authentication using ssh keys. I am able to authenticate using my ssh keys just fine. However, I found that when my password expires, I am prompted to change my password when I try to connect using my ssh key. Is this normal behavior? I thought the whole point of using key pairs is to bypass using your password. Shouldn't I only be prompted to change my password if I login using a password?

GregH
  • 291
  • 1
  • 2
  • 15
  • No, you still have a password on the account, and you still have to change it every 30 days. – Michael Hampton Nov 04 '15 at 19:35
  • That seems kind of counter-intuitive. What is the security motivation behind this behavior? It seems like then you should be forced to change your ssh keys as well. – GregH Nov 04 '15 at 19:37
  • You should ask your system administrator. They are the ones who set the policy. – Michael Hampton Nov 04 '15 at 19:45
  • First of all, if these are servers, you should not have a password at any cost other than the root account with "Break-glass" (last resort) scenario. All connection should only be SSH with keys and no passwords for obvious reasons. I would recommend you have a chat with your Sys Admins about increasing security. – Prav May 04 '18 at 21:49

2 Answers2

4

I stumbled upon the solution to this issue from the reference below. The solution requires authorization to edit some pam files.

The cause of the issue is the order of operations that causes the expired password prompt as explained here:

  • SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
  • SSH performs key-based authentication. It doesn't need PAM for this, so it doesn't run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
  • Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.

More recent versions of pam_unix have a no_pass_expiry. From the man page:

  no_pass_expiry
       When set ignore password expiration as defined by the shadow entry of the user. The option has an effect
       only in case pam_unix was not used for the authentication or it returned authentication failure meaning
       that other authentication source or method succeeded. The example can be public key authentication in
       sshd. The module will return PAM_SUCCESS instead of eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.

On a CentOS 7 server I set /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following lines:

account    required pam_unix.so  no_pass_expiry
password   sufficient pam_unix.so sha512 shadow nullok remember=5 no_pass_expiry

References

Expired Password and SSH key based login

pam_unix man page

kenlukas
  • 3,101
  • 2
  • 16
  • 26
  • Is it better to add `no_pass_expiry` to `password-auth` and `system-auth`, or is it possible to only add it to the `/etc/pam.d/sshd` file even though it references the other two via includes? – reedog117 Dec 09 '19 at 16:38
  • Good idea. I'd have to test it out but it looks feasible. – kenlukas Dec 10 '19 at 13:26
  • Any alternatives if you're running an older server version (e.g. Ubuntu 18.04) without no_pass_expiry? – 9a3eedi Nov 23 '20 at 05:49
1

You still have to change it every 30 days. The administrator can change this behaviour, changing the maximum number of days a password remains valid by using passwd -x or chage -E or even usermod -e.

José Castillo Lema
  • 170
  • 1
  • 1
  • 9