ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Password expiry for users without password should not block SSH login

Open schurzi opened this issue 1 year ago • 1 comments

Description

We are setting a maximum password age in /etc/login.defs. This automatically applies to all created users and also affects users without a password, eg. when creating a user to use for SSH key based login. The login will stop working afer the maximum password age has been reached.

see: https://github.com/dev-sec/ansible-collection-hardening/blob/0e173b4165a274090fe45a33f6d3671b6f0b516c/roles/os_hardening/templates/etc/login.defs.j2#L107

Playbook for creating an affected user:

- hosts: localhost
  roles:
    - devsec.hardening.os_hardening
  tasks:
    - name: create test user
      ansible.builtin.user:
        name: testuser

    - name: gather user info
      ansible.builtin.shell:
        cmd: "chage -l testuser"
      register: output

    - name: print info
      ansible.builtin.debug:
        msg: "{{output.stdout_lines}}"

user without password has a expiry date and SSH login will fail, once the date has been reached:

# chage -l testuser
Last password change                                    : Jun 05, 2023
Password expires                                        : Aug 04, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7

Solution

Key based SSH login shoud keep working for all users. Currently we create the potential for our users to lock themselves out of their systems after the password expiry date is reached.

Alternatives

There are several possible solutions to this. The main Problem boils down to this being an issue with communication between PAM and OpenSSH. I see several courses of action:

  • use our variable os_users_without_password_ageing to actively disable password ageing for specific users. This may be missed and is hard to keep up-to-date
  • create some new tasks to unset password ageing for all users without password. This would only work when os_hardening is applied regulary. (similar to https://github.com/dev-sec/ansible-collection-hardening/blob/0e173b4165a274090fe45a33f6d3671b6f0b516c/roles/os_hardening/tasks/user_accounts.yml#L34-L45)
  • make SSH ignore password expiry via PAM. This could create a security problem
  • find some way to give users a clear feedback before the accounts are locked

Additional information

The interaction between PAM and OpenSSH is a bit complicated. A good and short explaination can be found here: https://unix.stackexchange.com/questions/160268/expired-password-and-ssh-key-based-login-with-usepam-yes/160321#160321

schurzi avatar Jun 05 '23 12:06 schurzi