Ssh – Force pubkey-auth user to set password at first login

key-authenticationsshusers

When I create a new user account I ask users to send me a public key, and want to force users to set the password the first time they log in with keypair authentication. If I create an account with an impossible/disabled and expired password, but put a pubkey in their .ssh/authorized_keys file, the user is required to change his password at first login, but cannot enter his current one!

# adduser --disabled-password foo
…
# chage -d0 foo

What is a more appropriate way to go about this?

Best Answer

You could

Make sure nullok or nullok_secure is not in use in arguments of pam_unix for auth in the pam configuration for any service.
passwd -d foo
chage -d0 foo

That seems to do the trick here (debian wheezy).

Related Solutions

Ssh – Disabling ssh password authentication does not work on the debian VPS

You only disabled ChallengeResponseAuthentication. Lines starting with # are comments and won't interpreted as configuration, they are for humans to read.

To disable all possibilities to login with a password you have to set

PasswordAuthentication no

AND

ChallengeResponseAuthentication no

There is a possible path over pam_unix to login with a password. This will be disabled with the later.

Ssh – Can SSH public key authentication use pam_group

Probably not.

The man page for pam_group says:

Only the auth module type is provided.

And since SSH doesn't use PAM to authenticate when it uses public keys, the auth modules are not used.

As to why pam_group only works as an auth module and not as a session module, I can't say.

Best Answer

Related Solutions

Ssh – Disabling ssh password authentication does not work on the debian VPS

Ssh – Can SSH public key authentication use pam_group

Related Question