Clever Geek Handbook

Failed to enable ssh on locked user

I am following the setup guide for Capistrano ( http://capistranorb.com/documentation/getting-started/authentication-and-authorisation/ ). However, I found that I cannot ssh into the computer with a locked user ("deploy"). I checked /var/log/auth.log

and it says:

sshd[29163]: User deploy not allowed because account is locked
sshd[29163]: input_userauth_request: invalid user deploy [preauth]

After I unblock the user with passwd -u deploy

, I can ssh into the computer.

I checked the man page for passwd and it says:

-l, --lock
       Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ยด!ยด at the
       beginning of the password).

       Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account,
       administrators should use usermod --expiredate 1 (this set the account expire date to Jan 2, 1970).

       Users with a locked password are not allowed to change their password.

Under "Please note that this does not disable the account. The user can still log in using a different authentication token (eg SSH key)." it seems like I should be able to ssh into the computer with a locked user, but that's not what I see. Does anyone know why? I am running Ubuntu 12.04.4 LTS.

+3


source to share


2 answers


In Ubuntu, your user can be locked out if they don't have a password at all. While installing one, I fixed things for me a couple of times.



+3


source


What is written in the man page is not that you will be able to use SSH to log into a locked out account. What the man page says is that if you have configured SSH keys to log in without a password to an account, such a login may still work when the password is locked because the SSH key uses the SSH key instead of password as an authentication token, bypassing the failed password authentication step.



However, even when working with a non-password, it only says that it can work. The authentication process is partially controlled / managed by PAM, so if you have your SSH keys installed and you can log in with the "deploy" user without a password, as long as he has a valid password and you cannot login the user " expand "when the password is locked, view the PAM configuration.

+2


source






More articles:


All Articles