Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
passwordless users not able to log in #18
I moved dev-sec/chef-os-hardening#32 here, since the ssh-hardening seems to be the culprit. Contents have been updated.
After applying the ssh-hardening recipe, I could no longer login into the default user via ssh.
The machine was an ubuntu 14.04 LTS vm set up by openstack heat. This creates a default user "ec2-user".
After pam was disabled by this recipe, the "locked" flag IS being evaluated, resulting in the following entries in /var/log/auth.log:
sshd[xxx]: User ec2-user not allowed because account is locked
I believe this may hit many users. I'm not sure how to deal with this, at least we should document it, since it is not only a surprising side effect of using this recipe, but also one with possibly severe consequences.
Solutions I can think of, off the top of my head:
Dear @bkw thanks for reporting this issue. It sounds really annoying. From my background I assume this issue may occur with all default Ubuntu cloud images and their default users in combination with cloud-init. At first of all we need to find the original problem.
I am not sure I we find a proper automatic detection. I would find it difficult if we unlock locked accounts by any automatic pattern? With this approach we may run from one issue into another. A quick hack for you would be to run https://github.com/fnichol/chef-user and unlock the account during the chef run.
Let's discuss the proposed options:
Difficult, since the original issues is located in the locked account.
Then why do we specifically disable the use of PAM in sshd.conf, leading to this issue in the first place? See:
added a commit
this pull request
Jun 16, 2014
Is this enough? I only set the default to 'false' to preserve the existing functionality. Still I'd like to learn why we disable Pam by default and lock out the Ubuntu user, unless this new attribute is overridden. At the very least we should document this. I'd volunteer to do this but I need to understand why we think disabling pam for ssh is a good thing at should be the default.