New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

passwordless users not able to log in #32

bkw opened this Issue Jun 10, 2014 · 1 comment


None yet
1 participant

bkw commented Jun 10, 2014

After applying the os-hardening recipe, I could no longer login into the default user via ssh.
Here is what happened:

  • The machine was an ubuntu 14.04 LTS vm set up by openstack heat. This creates a default user "ec2-user".

  • Without further provisioning, this user has no password. This usually poses no problem for me, since ssh is configured to allow RSA key based login only.

  • The user is locked ("!" in /etc/shadow) since he has no password. ssh will allow logins anyway, since the password is not involved.

  • After pam was enabled by this recipe, the "locked" flag IS being evaluated, resulting in the following entries in /var/log/auth.log:

    sshd[xxx]: User ec2-user not allowed because account is locked
    sshd[xxx]: input_userauth_request: invalid user ec2-user [preauth]
    sshd[xxx]: Disconnecting: Too many authentication failures for ec2-user [preauth]

I believe this may hit many users. I'm not sure how to deal with this, at least we should document it, since it is not only a surprising side effect of using this recipe, but also one with possibly severe consequences.

Solutions I can think of, off the top of my head:

  1. Try to find out what the "default" user is an forcefully unlock it, as long as we enforce rsa-only ssh logins
  2. supply a list of accounts to be unlocked as an attribute, possibly with sane defaults. If an account of that name exists, unlock it, emit a warning (or an exception even?) it that account has no password.
  3. supply an exception for ssh with passwordless accounts ssh in pam, as long as rsa-only authentification is activated.

Other thoughts?


This comment has been minimized.

Show comment
Hide comment

bkw Jun 11, 2014


Moved to dev-sec/chef-ssh-hardening#18 with new findings.


bkw commented Jun 11, 2014

Moved to dev-sec/chef-ssh-hardening#18 with new findings.

@bkw bkw closed this Jun 11, 2014

rollbrettler pushed a commit to rollbrettler/chef-os-hardening that referenced this issue Sep 16, 2016

Merge pull request #32 from TelekomLabs/update-kitchen
updated kitchen images to current batch (mysql-equivalent)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment