Ssh – Forced to change expired password when using ssh key

password-managementSecuritysshssh-keys

I am working in an environment where I have an account on multiple linux machines where accounts and passwords are managed independently (no active directory/LDAP/etc) and passwords expire every 30 days. As such, I thought it would be easier to manage my authentication using ssh keys. I am able to authenticate using my ssh keys just fine. However, I found that when my password expires, I am prompted to change my password when I try to connect using my ssh key. Is this normal behavior? I thought the whole point of using key pairs is to bypass using your password. Shouldn't I only be prompted to change my password if I login using a password?

Best Answer

I stumbled upon the solution to this issue from the reference below. The solution requires authorization to edit some pam files.

The cause of the issue is the order of operations that causes the expired password prompt as explained here:

  • SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
  • SSH performs key-based authentication. It doesn't need PAM for this, so it doesn't run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
  • Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.

More recent versions of pam_unix have a no_pass_expiry. From the man page:

  no_pass_expiry
       When set ignore password expiration as defined by the shadow entry of the user. The option has an effect
       only in case pam_unix was not used for the authentication or it returned authentication failure meaning
       that other authentication source or method succeeded. The example can be public key authentication in
       sshd. The module will return PAM_SUCCESS instead of eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.

On a CentOS 7 server I set /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following lines:

account    required pam_unix.so  no_pass_expiry
password   sufficient pam_unix.so sha512 shadow nullok remember=5 no_pass_expiry

References

Expired Password and SSH key based login

pam_unix man page

Related Topic