Ssh – Forcing a password change on OpenBSD

openbsdpassword-managementpassword-policyssh

On OpenBSD 5.6 I need to provision a number of user accounts with default passwords. I would like users, upon their first SSH login, to be forced to change their passwords from the default.

On CentOS and Debian I can do this using chage -d 0 $username.

It appears from the login.conf manual that I should be able to accomplish the same thing on OpenBSD with something like:

usermod -f 1 $username or
usermod -f "Jan 1 2015" $username

Setting it that way does prompt the appropriate change in userinfo $username, but logging in as $username via SSH does not actually enforce a password change – it opens the shell quite happily, oblivious to the password having been marked inactive above.

Some posts from 2000 talk through writing a wrapper login shell to force a password change. That said, given the obvious scaffolding in usermod and chpass, it seems that this is built-in, but not documented as widely as the Linux equivalents.

Can a BSD pro shed some light on the conventional approach to this?

Best Answer

According to login.conf (5), the default grace period for an expired (aka "dead") password is 0. Unless that value is set in /etc/login.conf, a user cannot login to change her password if the current system date is greater than the 6th field of a user's password entry in /etc/master.passwd - refer to passwd (5).

To solve the problem you will need to specify a date formatted in number of seconds since the epoch that falls within your grace period of choice, e.g. 2 weeks, which you will also configure in /etc/login.conf. To manually pick a password expiration time of yesterday we can use:

# date -d yesterday +%s
1463597700

And then plug that value into field #6 in /etc/master.passwd by using vipw. The relevant line will then look something like this:

user:$2b$08$01234567890abcdef:1000:1000::1463597700:0:user:/home/user:/bin/ksh

Running usermod like you indicated (usermod -f "May 17 2016" user) will do essentially the same thing, but in both cases /etc/login.conf must also be changed by appending the following to the default:\ or relevant section for your class of user:

    :password-dead=2w:\
    :password-warn=2w:

The first line allows a grace period of two weeks for the user to change her password; the second line will issue warnings that a user's password is scheduled to expire. If expired, your users will see something like the following:

WARNING: Your password has expired.
You must change your password now and login again!
Changing local password for user.
Old password:
New password:
Retype new password:
Connection to openbsd-server closed.

You can also configure :passwordtime=7776000: in /etc/login.conf to enforce an additional password change every 90 days. Note that if you require additional checks on users' password complexity, like forbidding password reuse, you should install and configure passwordqc from packages, or another password checker program.

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

Ssh – How to automate SSH login with password

Related Topic