5

Why does the password expire?

I am logging in with public key (without password) since several days. Today I get this message:

> ssh modlink_foo_q@server

You are required to change your password immediately (password expired)
Last login: Wed Nov 14 09:26:48 2018 from 10.130.4.3
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for modlink_foo_q.

This is the matching line in /etc/shadow

server:~ # grep modli /etc/shadow
modlink_foo_q:!:17757:1:90:7:::

I think no password is set. Then who can it expire?

OS: SUSE Linux Enterprise Server 12 SP3

guettli
  • 3,113
  • 14
  • 59
  • 110
  • You might need your password for other things than SSH login. So I think it makes sense that it requires updating. – Tommiie Nov 14 '18 at 10:10
  • @Tom please have look at the /etc/shadow entry. There is a `!`. There was no password in the past, and there should be no password in the future. – guettli Nov 14 '18 at 11:32

2 Answers2

6

The value of your encrypted password (or the lack thereof) does not change the fact that a password expiry policy has been set.

See https://linux.die.net/man/3/shadow and https://linux.die.net/man/5/shadow

The current password was set on Tue Aug 14 2018
(the third field is sp_lstchg - the number of days since Jan 1, 1970 when the password was last changed: date --date '1970-01-01 +17757days')
(most likely when the account was created) and was valid for 90 days.
(field #5 sp_max - the number days after which password must be changed) I.e. the password was valid until date --date '1970-01-01 +17757days +90days' Mon Nov 12 2018.

You are currently in the 7 day grace period after the password expiry date and unless you either change the password, or change/update the policy fields (with chage) that account will considered inactive and disabled by Mon Nov 19 2018. 

 chage --lastday 2018-11-14 modlink_foo_q

will update the sp_lstchg field with today's date which will allow you to continue to use the account for another 90 before simulating a new password reset.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 1
    **Note:** before you remove the password aging settings from that account please be aware that such 90 day expiry is often mandated by a corporate security policies (frequently even for service accounts) ... – HBruijn Nov 14 '18 at 09:40
  • Would locking the password (with `passwd -l`) resolve this conundrum? `man passwd` (on a Debian system; linux.die.net does not include this) states that a user with a locked password isn't able to change it, but I'm not clear on how that would interact with expiration policies. (A locked password still allows key-based ssh login, but makes all password-based login impossible.) – Dave Sherohman Nov 14 '18 at 09:52
  • 1
    @DaveSherohman Since a user is required to validate password changes by entering their current one they can indeed not change their own password when the account is locked but that doesn't change the password expiry policy. Also the account above is already locked (by convention locking adds an exclamation mark `!` to the beginning of an encrypted password ensure that whatever password gets entered, it can never result in a hash that aligns with the locked password. Using any string that will never match the format of a password hash will lock an account from password based authentication). – HBruijn Nov 14 '18 at 10:21
3

I updated /etc/login.defs to contain this:

PASS_MAX_DAYS    99999
PASS_MIN_DAYS    0

Now it works. The password do not expire any more.

guettli
  • 3,113
  • 14
  • 59
  • 110