As an admin, I want to be able to create user accounts without a valid password, so that the account is only usable with SSH public key authentication.
At $dayjob, we have a backup system that wants to SSH into our Linux machines to configure its agent.
I want to protect our infrastructure against the possibility of a Linux machine being compromised. If this were to happen, then an attacker would be able to wait for the backup system to SSH into the machine, and then capture its password and use that to access other machines.
Using local accounts, it is possible to 'lock' a user's password with the passwd -l command. This does not disable the account, but it does set the password to something that can no longer be used for password authentication.
passwd -l
Current workaround in FreeIPA is to set the user's password to a long, random string and then forget it. But it would be nice to have a more explicit way to accomplish this.
Alternatively this can be accomplished in sshd_config via the combination of Match and AuthenticationMethods directives, but I'm looking for the lazy way out rather than having to update sshd_config on all servers... :)
Technically, this can be done with ipa-getkeytab already:
ipa-getkeytab
# ipa-getkeytab -Y EXTERNAL -H `cat /etc/ipa/default.conf |grep ldap_uri|cut -d= -f2` -k some.keytab -p foo Keytab successfully retrieved and stored in: some.keytab rm some.keytab
I'm using SASL EXTERNAL authentication on IPA master as root to do autobind to LDAP as cn=Directory Manager. It sets the password of user foo to a random value.
foo
Alternatively, kadmin.local can purge keys from a principal.
kadmin.local
Actually, the ipa-getkeytab path already works fine, even with -k /dev/null. I was fooled by the output message Failed to add key to the keytab but happened after the key was set to the random value on the server side already. Since we don't care about storing the keys, the method works. If you want to catch other errors, simply filter out error code 11 which corresponds to inability to add a key to the keytab.
-k /dev/null
Failed to add key to the keytab
@yrro I'd close this ticket since the workaround already handles the situation.
Marked as resolved since this can be done using ipa-getkeytab.
Metadata Update from @rcritten: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.