[Freeipa-users] automated ftp service only accounts and passwords
Rob Crittenden
rcritten at redhat.com
Fri Sep 9 17:55:59 UTC 2016
Larry Rosen wrote:
> Why does it (secure log) say:
> Sep 9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)
Administratively set passwords are treated as expired so only the
end-user knows the password.
http://www.freeipa.org/page/New_Passwords_Expired
The _account_ expired is a bit surprising but it may mean the same
thing. You could confirm by add --all to the user-show and see if there
is a principal expiration date but I'd find that to be quite unusual.
>
> User info:
>
> [sysadmin at redmine ~]$ ipa pwpolicy-show service_accts
> Group: service_accts
> Max lifetime (days): 20000
> Min lifetime (hours): 0
> History size: 0
> Character classes: 2
> Min length: 8
> Priority: 5
> Max failures: 0
> Failure reset interval: 0
> Lockout duration: 0
>
> [sysadmin at redmine ~]$ date
> Fri Sep 9 11:35:31 EDT 2016
> [sysadmin at redmine ~]$ ipa user-show xfseuftp
> User login: xfseuftp
> First name: xfs
> Last name: eur
> Home directory: /export/xfseur
> Login shell: /bin/bash
> Email address: xfseuftp at ipajdr.local
> UID: 1333300618
> GID: 1333200036
> Account disabled: False
> Password: True
> Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info
> Member of HBAC rule: access_lamp_stor_01_server
> Kerberos keys available: True
>
> [sysadmin at redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd
> --------------------
> Access granted: True
> --------------------
> Matched rules: access_lamp_stor_01_server <------- this is the sftp server attempting to access
> Not matched rules: access_all_servers
> Not matched rules: access_il09_app_mufg_server
> Not matched rules: access_ipa_servers
> Not matched rules: access_lampuat_server
> Not matched rules: access_ssh_gate_01_server
> Not matched rules: access_uat_xfs_il10_server
> Not matched rules: access_xfs_il10_server
> Not matched rules: dsiroot_access
> Not matched rules: il10web_access_xfs_il10_server
> Not matched rules: xfsroot_access
> ssh/sftp setup:
>
> Match User xfseuftp
> # Force the connection to use the built-in SFTP support.
> ForceCommand internal-sftp -u 6
> # Chroot the connection into the specified directory.
> ChrootDirectory /export/xfseur
> # Disable authentication agent forwarding.
> AllowAgentForwarding no
> # Disable TCP connection forwarding.
> AllowTcpForwarding no
> # Disable X11 remote desktop forwarding.
> X11Forwarding no
>
> When I attempt to change the account's password (I am sure it's the password I set). I've even tried deleting & re-creating the ID from scratch:
>
> [sysadmin at redmine ~]$ ipa passwd xfseuftp
> New Password:
> Enter New Password again to verify:
> --------------------------------------------
> Changed password for "xfseuftp at IPAJDR.LOCAL"
> --------------------------------------------
>
> [sysadmin at redmine ~]$ ssh xfseuftp at 10.120.97.149
> xfseuftp at 10.120.97.149's password:
> Permission denied, please try again.
> xfseuftp at 10.120.97.149's password:
>
>
> Even if I su to the user
>
> [root at lamp-stor-01 export]# ipa passwd xfseuftp
> New Password:
> Enter New Password again to verify:
> --------------------------------------------
> Changed password for "xfseuftp at IPAJDR.LOCAL"
> --------------------------------------------
It depends on what ticket you have, not the user executing the command.
> [root at lamp-stor-01 export]# su - xfseuftp
> Last login: Fri Sep 9 11:57:24 EDT 2016 on pts/1
> -bash-4.2$ passwd
> Changing password for user xfseuftp.
> Current Password:
> Password change failed. Server message: Old password not accepted.
> passwd: Authentication token manipulation error
>
>
>
> secure log entries when attempted to change password:
>
> Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
> Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied.
> Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
> Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired)
> Sep 9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2
> .....
> Sep 9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp
> Sep 9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0)
> Sep 9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd
> Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
> Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System error)
> Sep 9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, September 09, 2016 9:30 AM
> To: Larry Rosen <larry.rosen at JDRSolutions.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords
>
> Larry Rosen wrote:
>> How do I set the password on a chroot jailed sftp id account that is
>> not allowed a shell to not expire its password after setting it?
>> There's no way to change it to the fixed password I want.
>>
>> I have created a service_account password policy that has no
>> expiration (set to Max lifetime (days) = 20000 ).
>
> More details are needed. Did you create a service account user or are you using an IPA user?
>
> You created a new password policy, is the sftp account in that group?
>
> Why can't you set the password to what you want?
>
> rob
>
More information about the Freeipa-users
mailing list