Larry Rosen wrote:
Why does it (secure log) say:
        Sep  9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received 
for user xfseuftp: 13 (User account has expired)


Administratively set passwords are treated as expired so only the end-user knows the password. http://www.freeipa.org/page/New_Passwords_Expired

The _account_ expired is a bit surprising but it may mean the same thing. You could confirm by add --all to the user-show and see if there is a principal expiration date but I'd find that to be quite unusual.


User info:

[sysadmin@redmine ~]$ ipa pwpolicy-show service_accts
   Group: service_accts
   Max lifetime (days): 20000
   Min lifetime (hours): 0
   History size: 0
   Character classes: 2
   Min length: 8
   Priority: 5
   Max failures: 0
   Failure reset interval: 0
   Lockout duration: 0

[sysadmin@redmine ~]$ date
Fri Sep  9 11:35:31 EDT 2016
[sysadmin@redmine ~]$ ipa user-show xfseuftp
   User login: xfseuftp
   First name: xfs
   Last name: eur
   Home directory: /export/xfseur
   Login shell: /bin/bash
   Email address: xfseuftp@ipajdr.local
   UID: 1333300618
   GID: 1333200036
   Account disabled: False
   Password: True
   Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info
   Member of HBAC rule: access_lamp_stor_01_server
   Kerberos keys available: True

[sysadmin@redmine ~]$ ipa hbactest --user=xfseuftp 
--host=lamp-stor-01.ipajdr.local --service sshd
--------------------
Access granted: True
--------------------
   Matched rules: access_lamp_stor_01_server                            
<------- this is the sftp server attempting to access
   Not matched rules: access_all_servers
   Not matched rules: access_il09_app_mufg_server
   Not matched rules: access_ipa_servers
   Not matched rules: access_lampuat_server
   Not matched rules: access_ssh_gate_01_server
   Not matched rules: access_uat_xfs_il10_server
   Not matched rules: access_xfs_il10_server
   Not matched rules: dsiroot_access
   Not matched rules: il10web_access_xfs_il10_server
   Not matched rules: xfsroot_access
ssh/sftp setup:

Match User xfseuftp
         # Force the connection to use the built-in SFTP support.
         ForceCommand internal-sftp -u 6
         # Chroot the connection into the specified directory.
         ChrootDirectory /export/xfseur
         # Disable authentication agent forwarding.
         AllowAgentForwarding no
         # Disable TCP connection forwarding.
         AllowTcpForwarding no
         # Disable X11 remote desktop forwarding.
         X11Forwarding no

When I attempt to change the account's password (I am sure it's the password I 
set).  I've even tried deleting & re-creating the ID from scratch:

[sysadmin@redmine ~]$ ipa passwd xfseuftp
New Password:
Enter New Password again to verify:
--------------------------------------------
Changed password for "xfseuftp@IPAJDR.LOCAL"
--------------------------------------------

[sysadmin@redmine ~]$ ssh xfseuftp@10.120.97.149
xfseuftp@10.120.97.149's password:
Permission denied, please try again.
xfseuftp@10.120.97.149's password:


Even if I su  to the user

[root@lamp-stor-01 export]# ipa passwd xfseuftp
New Password:
Enter New Password again to verify:
--------------------------------------------
Changed password for "xfseuftp@IPAJDR.LOCAL"
--------------------------------------------

It depends on what ticket you have, not the user executing the command.

[root@lamp-stor-01 export]# su - xfseuftp
Last login: Fri Sep  9 11:57:24 EDT 2016 on pts/1
-bash-4.2$ passwd
Changing password for user xfseuftp.
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error



secure log entries when attempted to change password:

Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138  user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info 
message: Permission denied.
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user 
xfseuftp: 13 (User account has expired)
Sep  9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 
10.10.90.138 port 33534 ssh2
.....
Sep  9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for 
user xfseuftp
Sep  9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for 
user xfseuftp by root(uid=0)
Sep  9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user 
"xfseuftp" does not exist in /etc/passwd
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info 
message: Password change failed. Server message: Old password not accepted.
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication 
failed for user xfseuftp: 4 (System error)
Sep  9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for 
user xfseuftp

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, September 09, 2016 9:30 AM
To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords

Larry Rosen wrote:
How do I set the password on a chroot jailed sftp id account that is
not allowed a shell to not expire its password after setting it?
There's no way to change it to the fixed password I want.

I have created a service_account password policy that has no
expiration (set to Max lifetime (days) = 20000 ).

More details are needed. Did you create a service account user or are you using 
an IPA user?

You created a new password policy, is the sftp account in that group?

Why can't you set the password to what you want?

rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to