Using pub/priv key ubuntu is asking for a user password change

msidnam
msidnam used Ask the Experts™
on
I created an Azure VM using the CIS Hardened Ubuntu image. When setting up the VM I chose to use a public/private key to access the VM. This was in April of this year. Now when I logon its telling me my password has expired but we never gave the user a password.

I'm guessing that this is due to the hardened CIS image and it wants us to change the password. However we dont know what the old password would be. Using the serial console in Azure I can create another admin user and i tried to use chage -d -1 <user> but that doesnt seem to work.

I'm wondering if anyone else has come across this issue or can help me find a way to remove the password expiration.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Commented:
SSH Keys != password

If you're getting a password expired message, then you've never been using a Key.

To use a key, you'll do something like this...

ssh -i /path-to-key $user@$host

Open in new window


Additionally...

# To change a password
echo $user:$pass | chpasswd

# To reset password age to infinite
chage -M -1 $user

# To reset password age to reset every 90 days
chage -M 90 $user

Open in new window


Sounds to me like your sshd config allows logins without keys.

And users have been logging in without using keys.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
you can create random password with:
#!/bin/bash
user=$1
 x=$(dd if=/dev/random bs=100 count=1 2>/dev/null | base64 )
pass=${x,10,25}
echo $user:$pass | chpasswd

Open in new window


Which can be named setrandompassword

then the call setrandompassword root will set the password of root to some random value.

( or use a tool like pwgen... https://sourceforge.net/projects/pwgen/    which probably has better properties as base64 has a limitted character set. use long passwords to compensate for this).
David FavorFractional CTO
Distinguished Expert 2018

Commented:
noci implies a good point.

1) Disable all password logins. In other words, only allow logins by ssh keys.

2) Then set all user passwords to some random, long, unique password, just in case the sshd config gets munged at some point, allowing password logins.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Commented:
Aside: An annoyance with Ubuntu is the creation (under a variety of circumstances) of...

user=ubuntu pass=ubuntu

Open in new window


Which means if sshd allows password logins + the login ubuntu/ubuntu gets created, then you have a massive mess.

This default user can't really access anything at the system level + I've seen many an Ubuntu install running Bitcoin miners in background, sucking all the oxygen out of the hardware where sites + applications + API systems performance is drained to near zero.

Suggestion: As a first step after installing a new machine or creating a new container...

deluser ubuntu

Open in new window


This nukes the ubuntu/ubuntu login + closes this hole completely.

Author

Commented:
When we login using the key it is letting us in, but once we are logged in we are immediately prompted with a message saying our password expired and we need to change it. But since we didnt use a username/pw and instead used a username/key, nothing works.

I know I am not user a username/pw because when I connect and dont put in my private key in putty I get and error that the server is sending a key. If i use Azure's serial console it wont let me in since it never created a password for the user.

what we ended up doing was using Azure console to add another public key, logged in with the private key and then ran chage on the user that was giving us the issue to remove the expiration of the password.

Since I used the CIS Hardened Ubuntu Image from the marketplace I am guessing that the OS has an expiry date for the user. Unfortunately in our case since we created it without a password and only a key passphrase it wouldn't let us change the password since it didn't exist.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
The expiry date is set in the /etc/shadow file.
which has the field needed for this.

You may need to use chage  to change the settings. That might cause issues during auditing of the system so document this as an anomaly.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Since you're using Ubuntu, take a look in /var/log/auth.log for more detail.

In fact, you can tail -f /var/log/auth.log in one window to watch detail as you login.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial