SSH – Why Does Password Expire If None Is Set?

expiredpasswordssh

Why does the password expire?

I am logging in with public key (without password) since several days. Today I get this message:

> ssh modlink_foo_q@server

You are required to change your password immediately (password expired)
Last login: Wed Nov 14 09:26:48 2018 from 10.130.4.3
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for modlink_foo_q.

This is the matching line in /etc/shadow

server:~ # grep modli /etc/shadow
modlink_foo_q:!:17757:1:90:7:::

I think no password is set. Then who can it expire?

OS: SUSE Linux Enterprise Server 12 SP3

Best Answer

The value of your encrypted password (or the lack thereof) does not change the fact that a password expiry policy has been set.

See https://linux.die.net/man/3/shadow and https://linux.die.net/man/5/shadow

The current password was set on Tue Aug 14 2018
(the third field is sp_lstchg - the number of days since Jan 1, 1970 when the password was last changed: date --date '1970-01-01 +17757days')
(most likely when the account was created) and was valid for 90 days.
(field #5 sp_max - the number days after which password must be changed) I.e. the password was valid until date --date '1970-01-01 +17757days +90days' Mon Nov 12 2018.

You are currently in the 7 day grace period after the password expiry date and unless you either change the password, or change/update the policy fields (with chage) that account will considered inactive and disabled by Mon Nov 19 2018.

 chage --lastday 2018-11-14 modlink_foo_q

will update the sp_lstchg field with today's date which will allow you to continue to use the account for another 90 before simulating a new password reset.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

No password is complex enough

It turns out I was insufficiently observant, overly paranoid, or perhaps a bit... BOFHy when I set the fine-grained password policies. Looking closely at them (ADSI edit is not a great interface for that, too much other stuff) I noticed that I am setting a minimum password age.

Apparently, admin-resets do indeed reset this aging timer to zero.

Apparently, Windows reports the password-complexity error when it is too soon to reset a password.

Unless I want to change it, my "reset me!" users will have to put up with (for example) 2 days of the impossible-to-remember-but-very-long-password dunce-cap before they can set it to something they can remember.

Maybe this is just the hammer I need to urge them into straight up domain accounts.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

No password is complex enough

Related Topic