So if I'm using SSH with public/private keys to connect to a Unix box, and the password for my user account on that box expires, will I still be able to connect?
Asked
Active
Viewed 1.5k times
3 Answers
2
Yes, you will still be able to connect.
2
Yes, you can "connect", but you will be required to change your password, at least on Ubuntu distributions. Some servers will behave differently.
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testsftpuser/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 656 bytes for a total of 1799
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
No access will be granted until your password is changed:
You are required to change your password immediately (password aged)
Linux devftp01 2.6.66-38-server #43-Ubuntu SMP Thu Sep 16 16:05:42 UTC 2010 x86_64 GNU/Linux
Ubuntu 12.04.4 LTS
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for testsftpuser.
(current) UNIX password:
The Lizard
- 121
0
When the password is locked or expired, root put a ! sign before the password & when the user tries to log in. Its hashed provided password doesnt match with its password because a ! before password does not match.
While unlocking root user deletes the ! sign before the password so password entries are matched & user is able to login.
Now considering your situation.
- User is locked or expired
- User tries to login with terminal and blocked because password provided does not match with password database.
- When he tries login with ssh-keys. It logs im.
<snip> debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: atolani@atolani.csb debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 528 bytes for a total of 1637 debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Trying private key: /home/atolani/.ssh/identity debug3: no such identity: /home/atolani/.ssh/identity debug1: Trying private key: /home/atolani/.ssh/id_rsa debug3: no such identity: /home/atolani/.ssh/id_rsa debug1: Trying private key: /home/atolani/.ssh/id_dsa debug3: no such identity: /home/atolani/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password </snip>
Given is the verbose output of ssh login.
By this we can see, that a ssh login initially try to check identity private keys & move to interactive password when above in unavailable. This shows that while logging using ssh-keys user does not check the password so is unable to check whether the password is locked or not.
So yes, If your password is expired or locked, You will be able to login if password keys are configured.
atvt
- 224