Forced to change expired password when using ssh key
I am working in an environment where I have an account on multiple linux machines where accounts and passwords are managed independently (no active directory/LDAP/etc) and passwords expire every 30 days. As such, I thought it would be easier to manage my authentication using ssh keys. I am able to authenticate using my ssh keys just fine. However, I found that when my password expires, I am prompted to change my password when I try to connect using my ssh key. Is this normal behavior? I thought the whole point of using key pairs is to bypass using your password. Shouldn't I only be prompted to change my password if I login using a password?
I stumbled upon the solution to this issue from the reference below. The solution requires authorization to edit some pam
files.
The cause of the issue is the order of operations that causes the expired password prompt as explained here:
- SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
- SSH performs key-based authentication. It doesn't need PAM for this, so it doesn't run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
- Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.
More recent versions of pam_unix
have a no_pass_expiry. From the man page:
no_pass_expiry
When set ignore password expiration as defined by the shadow entry of the user. The option has an effect
only in case pam_unix was not used for the authentication or it returned authentication failure meaning
that other authentication source or method succeeded. The example can be public key authentication in
sshd. The module will return PAM_SUCCESS instead of eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.
On a CentOS 7 server I set /etc/pam.d/password-auth
and /etc/pam.d/system-auth
with the following lines:
account required pam_unix.so no_pass_expiry
password sufficient pam_unix.so sha512 shadow nullok remember=5 no_pass_expiry
References
Expired Password and SSH key based login
pam_unix man page
You still have to change it every 30 days.
The administrator can change this behaviour, changing the maximum number of days a password remains valid by using passwd -x
or chage -E
or even usermod -e
.