passwordless users not able to log in #18
Conversation
|
Dear @bkw thanks for reporting this issue. It sounds really annoying. From my background I assume this issue may occur with all default Ubuntu cloud images and their default users in combination with cloud-init. At first of all we need to find the original problem. I am not sure I we find a proper automatic detection. I would find it difficult if we unlock locked accounts by any automatic pattern? With this approach we may run from one issue into another. A quick hack for you would be to run https://github.com/fnichol/chef-user and unlock the account during the chef run. Let's discuss the proposed options:
Difficult, since the original issues is located in the locked account. |
Then why do we specifically disable the use of PAM in sshd.conf, leading to this issue in the first place? See: |
|
Replace that line with "UsePAM yes" and bob's your uncle. Hence my question: Why do we disable it in the first place? What security problem are we trying to close by that that has not been addressed by "PasswordAuthentication no" and "PermitEmptyPasswords no"? |
|
I see.... ;-) |
|
I changed this into a PR with a changeset to enable PAM. Maybe we can get more people to weigh in on this. |
|
great, thank you |
passwordless users not able to log in
|
Is this enough? I only set the default to 'false' to preserve the existing functionality. Still I'd like to learn why we disable Pam by default and lock out the Ubuntu user, unless this new attribute is overridden. At the very least we should document this. I'd volunteer to do this but I need to understand why we think disabling pam for ssh is a good thing at should be the default. |
I moved dev-sec/chef-os-hardening#32 here, since the ssh-hardening seems to be the culprit. Contents have been updated.
After applying the ssh-hardening recipe, I could no longer login into the default user via ssh.
Here is what happened:
The machine was an ubuntu 14.04 LTS vm set up by openstack heat. This creates a default user "ec2-user".
Without further provisioning, this user has no password. This usually poses no problem for me, since ssh is configured to allow RSA key based login only.
The user is locked ("!" in /etc/shadow) since he has no password, but in its default configuration with pam enabled, ssh will allow logins anyway.
After pam was disabled by this recipe, the "locked" flag IS being evaluated, resulting in the following entries in /var/log/auth.log:
sshd[xxx]: User ec2-user not allowed because account is locked
sshd[xxx]: input_userauth_request: invalid user ec2-user [preauth]
sshd[xxx]: Disconnecting: Too many authentication failures for ec2-user [preauth]
I believe this may hit many users. I'm not sure how to deal with this, at least we should document it, since it is not only a surprising side effect of using this recipe, but also one with possibly severe consequences.
Solutions I can think of, off the top of my head:
Other thoughts?