Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration conflict when using both chef-ssh-hardening and chef-os-hardening #264

Closed
eric-chennells opened this issue Jun 10, 2020 · 2 comments
Closed

Configuration conflict when using both chef-ssh-hardening and chef-os-hardening #264

eric-chennells opened this issue Jun 10, 2020 · 2 comments

Comments

@eric-chennells
Copy link

Describe the bug
chef-ssh-hardening disables ssh password authentication, but chef-os-hardening sets the password expiry to 60 days.

If a system has both of these applied, users will be using ssh key based authentication and may not have a local password set. In this case after 60 days they are unable to login because they are prompted to change their password which they don't have.

Expected behavior
If no password has been set it shouldn't expire.

OS / Environment

Ubuntu 18.04 LTS
@eric-chennells
Copy link
Author

I did some further research and realized that if an account is created as a "system account" it won't have the password expiry set. It will however have a UID between 100 and 1000. I'm not sure what security consequences that might have.

@eric-chennells
Copy link
Author

It seems like disabling the max age for the password (by setting the value to -1) is the solution, as outlined here #58

@dev-sec-bot dev-sec-bot mentioned this issue Jun 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eric-chennells