I am working in an environment where I have an account on multiple linux machines where accounts and passwords are managed independently (no active directory/LDAP/etc) and passwords expire every 30 days. As such, I thought it would be easier to manage my authentication using ssh keys. I am able to authenticate using my ssh keys just fine. However, I found that when my password expires, I am prompted to change my password when I try to connect using my ssh key. Is this normal behavior? I thought the whole point of using key pairs is to bypass using your password. Shouldn't I only be prompted to change my password if I login using a password?
Ssh – Forced to change expired password when using ssh key
password-managementSecuritysshssh-keys
Related Topic
- Security – Our security auditor is an idiot. How to give him the information he wants
- Ssh – Encrypt temporary password using public ssh key
- SSH Public Key Authentication not working with PuTTY
- Centos – way to prevent password expiration when user has no password
- Ssh – Strange Change in ssh behavior + LDAP
- Security – How to implement ansible with per-host passwords, securely
Best Answer
I stumbled upon the solution to this issue from the reference below. The solution requires authorization to edit some
pam
files.The cause of the issue is the order of operations that causes the expired password prompt as explained here:
More recent versions of
pam_unix
have a no_pass_expiry. From the man page:On a CentOS 7 server I set
/etc/pam.d/password-auth
and/etc/pam.d/system-auth
with the following lines:References
Expired Password and SSH key based login
pam_unix man page