[Freeipa-users] automated ftp service only accounts and passwords

Larry Rosen larry.rosen at JDRSolutions.com
Fri Sep 9 16:06:50 UTC 2016 

Why does it (secure log) say:
	Sep  9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)

User info:

[sysadmin at redmine ~]$ ipa pwpolicy-show service_accts
  Group: service_accts
  Max lifetime (days): 20000
  Min lifetime (hours): 0
  History size: 0
  Character classes: 2
  Min length: 8
  Priority: 5
  Max failures: 0
  Failure reset interval: 0
  Lockout duration: 0

[sysadmin at redmine ~]$ date
Fri Sep  9 11:35:31 EDT 2016
[sysadmin at redmine ~]$ ipa user-show xfseuftp
  User login: xfseuftp
  First name: xfs
  Last name: eur
  Home directory: /export/xfseur
  Login shell: /bin/bash
  Email address: xfseuftp at ipajdr.local
  UID: 1333300618
  GID: 1333200036
  Account disabled: False
  Password: True
  Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info
  Member of HBAC rule: access_lamp_stor_01_server
  Kerberos keys available: True

[sysadmin at redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd
--------------------
Access granted: True
--------------------
  Matched rules: access_lamp_stor_01_server 				<------- this is the sftp server attempting to access
  Not matched rules: access_all_servers
  Not matched rules: access_il09_app_mufg_server
  Not matched rules: access_ipa_servers
  Not matched rules: access_lampuat_server
  Not matched rules: access_ssh_gate_01_server
  Not matched rules: access_uat_xfs_il10_server
  Not matched rules: access_xfs_il10_server
  Not matched rules: dsiroot_access
  Not matched rules: il10web_access_xfs_il10_server
  Not matched rules: xfsroot_access
ssh/sftp setup:

Match User xfseuftp
        # Force the connection to use the built-in SFTP support.
        ForceCommand internal-sftp -u 6
        # Chroot the connection into the specified directory.
        ChrootDirectory /export/xfseur
        # Disable authentication agent forwarding.
        AllowAgentForwarding no
        # Disable TCP connection forwarding.
        AllowTcpForwarding no
        # Disable X11 remote desktop forwarding.
        X11Forwarding no

When I attempt to change the account's password (I am sure it's the password I set).  I've even tried deleting & re-creating the ID from scratch:

[sysadmin at redmine ~]$ ipa passwd xfseuftp
New Password: 
Enter New Password again to verify: 
--------------------------------------------
Changed password for "xfseuftp at IPAJDR.LOCAL"
--------------------------------------------

[sysadmin at redmine ~]$ ssh xfseuftp at 10.120.97.149
xfseuftp at 10.120.97.149's password: 
Permission denied, please try again.
xfseuftp at 10.120.97.149's password:


Even if I su  to the user

[root at lamp-stor-01 export]# ipa passwd xfseuftp
New Password: 
Enter New Password again to verify: 
--------------------------------------------
Changed password for "xfseuftp at IPAJDR.LOCAL"
--------------------------------------------
[root at lamp-stor-01 export]# su - xfseuftp
Last login: Fri Sep  9 11:57:24 EDT 2016 on pts/1
-bash-4.2$ passwd
Changing password for user xfseuftp.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error



secure log entries when attempted to change password:

Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138  user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied.
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)
Sep  9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2
.....
Sep  9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp
Sep  9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0)
Sep  9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System error)
Sep  9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Friday, September 09, 2016 9:30 AM
To: Larry Rosen <larry.rosen at JDRSolutions.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords

Larry Rosen wrote:
> How do I set the password on a chroot jailed sftp id account that is 
> not allowed a shell to not expire its password after setting it?  
> There's no way to change it to the fixed password I want.
>
> I have created a service_account password policy that has no 
> expiration (set to Max lifetime (days) = 20000 ).

More details are needed. Did you create a service account user or are you using an IPA user?

You created a new password policy, is the sftp account in that group?

Why can't you set the password to what you want?

rob

More information about the Freeipa-users mailing list