SSH – How to Unlock Account for Public Key Authorization but Not Password Authorization

passwordssh

The ssh won't let me login, because account is locked. I want to unlock the user on my server for public key authorization over ssh, but do not enable password-ed login.

I've tried:

# passwd -u username
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.

Auth log entries:

Mar 28 00:00:00 vm11111 sshd[11111]: User username not allowed because account is locked
Mar 28 00:00:00 vm11111 sshd[11111]: input_userauth_request: invalid user username [preauth]

Best Answer

Unlock the account and give the user a complex password as @Skaperen suggests.

Edit /etc/ssh/sshd_config and ensure you have:

PasswordAuthentication no

Check that the line isn't commented (# at the start) and save the file. Finally, restart the sshd service.

Before you do this, ensure that your public key authentication is working first.

If you need to do this for only one (or a small number) of users, leave PasswordAuthentication enabled and instead use Match User:

Match User miro, alice, bob
    PasswordAuthentication no

Place at the bottom of the file as it is valid until the next Match command or EOF.

You can also use Match Group <group name> or a negation Match User !bloggs

As you mention in the comments, you can also reverse it so that Password Authentication is disabled in the main part of the config and use Match statements to enable it for a few users:

PasswordAuthentication no
.
.
.
Match <lame user>
    PasswordAuthentication yes

Related Solutions

Ssh – passwordless ssh for another username

You just have to supply the other system's username in the svn command:

$ svn co svn+ssh://otheruser@othersystem/path/to/repo

To answer your question's title, too:

$ ssh otheruser@othersystem

This causes sshd on the remote machine to look in ~otheruser/.ssh/authorized_keys for the public key corresponding to the private key on the machine you're typing the command on.

Centos – Two ways to lock a password but only one to unlock

It doesn't matter. The behavior you're seeing is implementation specific. That's why usermod does one thing and passwd does something else. They're different implementations. See what happens on Solaris, AIX, HP-UX, True64, Xenix...

The password field is a crypted or hashed string. When the user supplies a password it is crypted or hashed according to the algorithm specified in the password field. The authentication is only successful if both the supplied and stored crypted/hashed forms match.

A single ! or a double !! can never match any crypted password. In other words there is no input that will ever crypt to the result value ! or !!. Any string that could never be the hash result will "lock" the account. It may as well be foo or Mr. Spock.

Also note this comment under the --lock flag in passwd(1) on Linux:

Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

Best Answer

Related Solutions

Ssh – passwordless ssh for another username

Centos – Two ways to lock a password but only one to unlock

Related Question