camptocamp/puppet-accounts

User username not allowed because account is locked

ngoduykhanh opened this issue · 5 comments

I am trying this module on my Ubuntu Server 14.04, the user can be created but I can't ssh (authorized_key is added)

The auth.log shows:

Apr  6 11:00:21 my-server sshd[23716]: User my-username not allowed because account is locked
Apr  6 11:00:21 my-server sshd[23716]: input_userauth_request: invalid user my-username [preauth]
Apr  6 11:00:30 my-server sshd[23716]: Connection closed by xxx.xxx.xxx.xxx [preauth]

In /etc/shadow file, there is a ! which marked my account as locked.

my-username:!:16897:0:99999:7:::

is there any idea how to enable the account without setting a password???

The exclamation point won't actually lock the account - just the password. So there is no password set for the account. The ssh keys should still work (I just double checked).

If you pass the option "-v -v -v" to your ssh client you will get more details when connecting that maybe helpful.

I've just checked my sshd_config, It had UsePAM no which refuse my ssh connection. Enable PAM help to resolve this issue.

Basically, if we use UsePAM no and shadow file:

  • my-username:!:16897:0:99999:7::: NOT able to login.
  • my-username:*:16897:0:99999:7::: able to login.

My test is on Ubuntu 14.04.

i was facing same issue. I am using alpine and openssh 7.5, so "UsePAM yes", did not worked for me. So, i had to to change that line using sed : sed -i s/my-username:!/"my-username:*"/g /etc/shadow

kosli commented

just run into a similar issue and found this thread. you could use the openssh-server-pam package instead.

To allow ssh with a user that you have created programmatically in a Debian based system:

#!/bin/sh

useradd -m -u 1000 -s /bin/bash developer
usermod -aG sudo developer

# @link https://unix.stackexchange.com/a/193131/311426
# On Linux, you can disable password-based access to an account while allowing
# SSH access (with some other authentication method, typically a key pair) with:
usermod -p '*' developer

Now, you are able to login via ssh with the user developer, but you are not able to use sudo, because the user has an invalid password, the *, and cannot set a new password for itself, because when he tries to do it, the passwd command will ask for the current password, and if you input * it will not work, because it will be hashed and compared with the literal * in /etc/shadow. To set a password to the user developer you need to ssh as root and change it in the root shell:

# passwd developer

Don't resort to set UsePAM to yes because that is weakening the security of your server. Read this article for more details:

Both of these authentication types are disabled by hardening, so UsePAM should remain off by default.

However, if you enable this setting, there is another implication that follows: By default the system will not allow entry to any “locked” user. Once UsePAM is enabled, even locked users can enter.