Using pub/priv key ubuntu is asking for a user password change
I created an Azure VM using the CIS Hardened Ubuntu image. When setting up the VM I chose to use a public/private key to access the VM. This was in April of this year. Now when I logon its telling me my password has expired but we never gave the user a password.
I'm guessing that this is due to the hardened CIS image and it wants us to change the password. However we dont know what the old password would be. Using the serial console in Azure I can create another admin user and i tried to use chage -d -1 <user> but that doesnt seem to work.
I'm wondering if anyone else has come across this issue or can help me find a way to remove the password expiration.
I'm guessing that this is due to the hardened CIS image and it wants us to change the password. However we dont know what the old password would be. Using the serial console in Azure I can create another admin user and i tried to use chage -d -1 <user> but that doesnt seem to work.
I'm wondering if anyone else has come across this issue or can help me find a way to remove the password expiration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
noci implies a good point.
1) Disable all password logins. In other words, only allow logins by ssh keys.
2) Then set all user passwords to some random, long, unique password, just in case the sshd config gets munged at some point, allowing password logins.
1) Disable all password logins. In other words, only allow logins by ssh keys.
2) Then set all user passwords to some random, long, unique password, just in case the sshd config gets munged at some point, allowing password logins.
Aside: An annoyance with Ubuntu is the creation (under a variety of circumstances) of...
Which means if sshd allows password logins + the login ubuntu/ubuntu gets created, then you have a massive mess.
This default user can't really access anything at the system level + I've seen many an Ubuntu install running Bitcoin miners in background, sucking all the oxygen out of the hardware where sites + applications + API systems performance is drained to near zero.
Suggestion: As a first step after installing a new machine or creating a new container...
This nukes the ubuntu/ubuntu login + closes this hole completely.
user=ubuntu pass=ubuntuWhich means if sshd allows password logins + the login ubuntu/ubuntu gets created, then you have a massive mess.
This default user can't really access anything at the system level + I've seen many an Ubuntu install running Bitcoin miners in background, sucking all the oxygen out of the hardware where sites + applications + API systems performance is drained to near zero.
Suggestion: As a first step after installing a new machine or creating a new container...
deluser ubuntuThis nukes the ubuntu/ubuntu login + closes this hole completely.
ASKER
When we login using the key it is letting us in, but once we are logged in we are immediately prompted with a message saying our password expired and we need to change it. But since we didnt use a username/pw and instead used a username/key, nothing works.
I know I am not user a username/pw because when I connect and dont put in my private key in putty I get and error that the server is sending a key. If i use Azure's serial console it wont let me in since it never created a password for the user.
what we ended up doing was using Azure console to add another public key, logged in with the private key and then ran chage on the user that was giving us the issue to remove the expiration of the password.
Since I used the CIS Hardened Ubuntu Image from the marketplace I am guessing that the OS has an expiry date for the user. Unfortunately in our case since we created it without a password and only a key passphrase it wouldn't let us change the password since it didn't exist.
I know I am not user a username/pw because when I connect and dont put in my private key in putty I get and error that the server is sending a key. If i use Azure's serial console it wont let me in since it never created a password for the user.
what we ended up doing was using Azure console to add another public key, logged in with the private key and then ran chage on the user that was giving us the issue to remove the expiration of the password.
Since I used the CIS Hardened Ubuntu Image from the marketplace I am guessing that the OS has an expiry date for the user. Unfortunately in our case since we created it without a password and only a key passphrase it wouldn't let us change the password since it didn't exist.
The expiry date is set in the /etc/shadow file.
which has the field needed for this.
You may need to use chage to change the settings. That might cause issues during auditing of the system so document this as an anomaly.
which has the field needed for this.
You may need to use chage to change the settings. That might cause issues during auditing of the system so document this as an anomaly.
Since you're using Ubuntu, take a look in /var/log/auth.log for more detail.
In fact, you can tail -f /var/log/auth.log in one window to watch detail as you login.
In fact, you can tail -f /var/log/auth.log in one window to watch detail as you login.
Open in new window
Which can be named setrandompassword
then the call setrandompassword root will set the password of root to some random value.
( or use a tool like pwgen... https://sourceforge.net/projects/pwgen/ which probably has better properties as base64 has a limitted character set. use long passwords to compensate for this).