User username not allowed because account is locked
ngoduykhanh opened this issue · 5 comments
I am trying this module on my Ubuntu Server 14.04, the user can be created but I can't ssh (authorized_key is added)
The auth.log shows:
Apr 6 11:00:21 my-server sshd[23716]: User my-username not allowed because account is locked
Apr 6 11:00:21 my-server sshd[23716]: input_userauth_request: invalid user my-username [preauth]
Apr 6 11:00:30 my-server sshd[23716]: Connection closed by xxx.xxx.xxx.xxx [preauth]
In /etc/shadow
file, there is a !
which marked my account as locked.
my-username:!:16897:0:99999:7:::
is there any idea how to enable the account without setting a password???
The exclamation point won't actually lock the account - just the password. So there is no password set for the account. The ssh keys should still work (I just double checked).
If you pass the option "-v -v -v" to your ssh client you will get more details when connecting that maybe helpful.
I've just checked my sshd_config
, It had UsePAM no
which refuse my ssh connection. Enable PAM
help to resolve this issue.
Basically, if we use UsePAM no
and shadow file:
my-username:!:16897:0:99999:7:::
NOT able to login.my-username:*:16897:0:99999:7:::
able to login.
My test is on Ubuntu 14.04.
i was facing same issue. I am using alpine and openssh 7.5, so "UsePAM yes", did not worked for me. So, i had to to change that line using sed : sed -i s/my-username:!/"my-username:*"/g /etc/shadow
just run into a similar issue and found this thread. you could use the openssh-server-pam
package instead.
To allow ssh with a user that you have created programmatically in a Debian based system:
#!/bin/sh
useradd -m -u 1000 -s /bin/bash developer
usermod -aG sudo developer
# @link https://unix.stackexchange.com/a/193131/311426
# On Linux, you can disable password-based access to an account while allowing
# SSH access (with some other authentication method, typically a key pair) with:
usermod -p '*' developer
Now, you are able to login via ssh with the user developer
, but you are not able to use sudo, because the user has an invalid password, the *
, and cannot set a new password for itself, because when he tries to do it, the passwd
command will ask for the current password, and if you input *
it will not work, because it will be hashed and compared with the literal *
in /etc/shadow
. To set a password to the user developer
you need to ssh as root and change it in the root shell:
# passwd developer
Don't resort to set UsePAM
to yes
because that is weakening the security of your server. Read this article for more details:
Both of these authentication types are disabled by hardening, so UsePAM should remain off by default.
However, if you enable this setting, there is another implication that follows: By default the system will not allow entry to any “locked” user. Once UsePAM is enabled, even locked users can enter.