I'm following the setup guide for Capistrano (http://capistranorb.com/documentation/getting-started/authentication-and-authorisation/). However I found that I'm not able to ssh into the computer with the locked user ('deploy'). I checked /var/log/auth.log
and it says:
sshd[29163]: User deploy not allowed because account is locked
sshd[29163]: input_userauth_request: invalid user deploy [preauth]
After I unlock the user using passwd -u deploy
, I'm able to ssh into the computer.
I checked man page for passwd and it says:
-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the
beginning of the password).
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account,
administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their password.
From the section "Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key)." it seems that I should be able to ssh into the computer with the user locked, but it's not what I'm seeing. Does anyone know why? I'm running Ubuntu 12.04.4 LTS.
The default duration for lockout is 120 seconds.
How to unlock users in Linux? Option 1: Use the command “passwd -u username”. Unlocking password for user username. Option 2: Use the command “usermod -U username”.
What the man page says is not that you will be able to use SSH to log into a locked account. What the man page says is that if you have set up SSH keys for non-password login to the account, such login might still work when the password is locked, because SSH key login uses the SSH key instead of the password as the authentication token, bypassing the password-authentication step which would fail.
However, even with non-password login working, it only says that it may work. The authentication process is partially controlled/managed by PAM, so if you have your SSH keys set up, and you are able to login to the 'deploy' user without a password as long as it has a valid password, and you are not able to login to the 'deploy' user when the password is locked, look into your PAM configuration.
In Ubuntu, your user might be locked if it has no password at all. Setting one did fix things for me a couple of times
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With