Recently I have been playing with password ageing and the usage of ssh keys. I have found that if usePAM yes (default) is set in the /etc/ssh/sshd_config file then any password ageing and inactiivity can adversely affect a client with ssh keys.
For example:
Set PASS_MAX_DAYS to 60 in /etc/login.defs (for new user accounts)
set INACTIITY=30 in /etc/default/useradd (for new user creations)
Here is an example of one done already:
# chage -l test01
Last password change : Mar 27, 2015
Password expires : May 26, 2015
Password inactive : Jun 25, 2015
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
- Login with test01 today's date no problem.
- Set date to May 27, 2015... Upon login, you are told the password has aged and you are FORCED to change your password.
- Set date to June 26, 2015 ... After login, you are informed your password has expired and to contact your system administrator and the connection is dropped.
Same scenario.. except this time you will be logging on with your ssh key (instead of password):
- Today's date ... login normally
- Set date to May 27, 2015 ... Login with key, but told your password aged and it forces you to change your password
- Set date to June 26, 2015.... Login with key, told your account is expired and dumps the connection.
If you change "usePAM no" in the /etc/ssh/sshd.config file and restart the ssh daemon and retry the following happens: (using ssh key)
- Today's date.. login normally
- Set date to May 27, 2015 ... log on no warnings.
- Set date to June 26, 2015 ... log on no warnings.
Do again, using password instead of ssh key:
- Today's date ... logon normally
- Set date to May 27, 2015 ... log on, password change forced
- Set date to June 26, 2015 ... log on, password change forced (the inactivity is NOT being honored).
So in summary:
If you use password ageing and "usePAM yes" you are prompted to change password, even if using ssh keys.
If you use password ageing and "usePAM no" your password never goes INACTIVE and ssh keys work without password expiration warnings.
Trying to get best of both worlds:
Use password ageing + inactivity ... but not affect anyone using ssh keypairs.
For reference, here is the relevant changes to the pam files. (note I have done this for RHEL4,5 and 6. As well as Debian 7. So of course, config files same (except RHEL4) and PAM configuration files slightly different due to different distros.
RHEL5/6: (note: rhel6 also has the settings in /etc/pam.d/password-auth-ac)
/etc/pam.d/system-auth-ac
auth required pam_tally2.so onerr=fail deny=3
account required pam_tally.so
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=0 ucredit=0 ocredit=0 dcredit=0 minlen=8
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
Suggestions ?