[Freeipa-users] automated ftp service only accounts and passwords
Larry Rosen
larry.rosen at JDRSolutions.com
Fri Sep 9 16:06:50 UTC 2016
Why does it (secure log) say:
Sep 9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)
User info:
[sysadmin at redmine ~]$ ipa pwpolicy-show service_accts
Group: service_accts
Max lifetime (days): 20000
Min lifetime (hours): 0
History size: 0
Character classes: 2
Min length: 8
Priority: 5
Max failures: 0
Failure reset interval: 0
Lockout duration: 0
[sysadmin at redmine ~]$ date
Fri Sep 9 11:35:31 EDT 2016
[sysadmin at redmine ~]$ ipa user-show xfseuftp
User login: xfseuftp
First name: xfs
Last name: eur
Home directory: /export/xfseur
Login shell: /bin/bash
Email address: xfseuftp at ipajdr.local
UID: 1333300618
GID: 1333200036
Account disabled: False
Password: True
Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info
Member of HBAC rule: access_lamp_stor_01_server
Kerberos keys available: True
[sysadmin at redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd
--------------------
Access granted: True
--------------------
Matched rules: access_lamp_stor_01_server <------- this is the sftp server attempting to access
Not matched rules: access_all_servers
Not matched rules: access_il09_app_mufg_server
Not matched rules: access_ipa_servers
Not matched rules: access_lampuat_server
Not matched rules: access_ssh_gate_01_server
Not matched rules: access_uat_xfs_il10_server
Not matched rules: access_xfs_il10_server
Not matched rules: dsiroot_access
Not matched rules: il10web_access_xfs_il10_server
Not matched rules: xfsroot_access
ssh/sftp setup:
Match User xfseuftp
# Force the connection to use the built-in SFTP support.
ForceCommand internal-sftp -u 6
# Chroot the connection into the specified directory.
ChrootDirectory /export/xfseur
# Disable authentication agent forwarding.
AllowAgentForwarding no
# Disable TCP connection forwarding.
AllowTcpForwarding no
# Disable X11 remote desktop forwarding.
X11Forwarding no
When I attempt to change the account's password (I am sure it's the password I set). I've even tried deleting & re-creating the ID from scratch:
[sysadmin at redmine ~]$ ipa passwd xfseuftp
New Password:
Enter New Password again to verify:
--------------------------------------------
Changed password for "xfseuftp at IPAJDR.LOCAL"
--------------------------------------------
[sysadmin at redmine ~]$ ssh xfseuftp at 10.120.97.149
xfseuftp at 10.120.97.149's password:
Permission denied, please try again.
xfseuftp at 10.120.97.149's password:
Even if I su to the user
[root at lamp-stor-01 export]# ipa passwd xfseuftp
New Password:
Enter New Password again to verify:
--------------------------------------------
Changed password for "xfseuftp at IPAJDR.LOCAL"
--------------------------------------------
[root at lamp-stor-01 export]# su - xfseuftp
Last login: Fri Sep 9 11:57:24 EDT 2016 on pts/1
-bash-4.2$ passwd
Changing password for user xfseuftp.
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
secure log entries when attempted to change password:
Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied.
Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)
Sep 9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2
.....
Sep 9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp
Sep 9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0)
Sep 9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd
Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System error)
Sep 9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Friday, September 09, 2016 9:30 AM
To: Larry Rosen <larry.rosen at JDRSolutions.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords
Larry Rosen wrote:
> How do I set the password on a chroot jailed sftp id account that is
> not allowed a shell to not expire its password after setting it?
> There's no way to change it to the fixed password I want.
>
> I have created a service_account password policy that has no
> expiration (set to Max lifetime (days) = 20000 ).
More details are needed. Did you create a service account user or are you using an IPA user?
You created a new password policy, is the sftp account in that group?
Why can't you set the password to what you want?
rob
More information about the Freeipa-users
mailing list