Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make password expiration configurable + a switch to turn off password access if key is present #534

Open
BrianGilbert opened this issue Dec 9, 2014 · 9 comments
Open

Make password expiration configurable + a switch to turn off password access if key is present #534

BrianGilbert opened this issue Dec 9, 2014 · 9 comments
Labels
status - todo type - feature request
Milestone
4.x.0

Comments

@BrianGilbert
Copy link

Is it possible to make boa install only allow key based login instead of setting up the sftp server? And also disable the scheduled forced reseting of passwords (I generally don't use passwords at all)
@omega8cc
Copy link
Owner

omega8cc commented Dec 9, 2014

These two things are not really related. We can't make SFTP optional, because it is a part of SSH, just with extra wrapper. Do you suggest a configurable password expiration perhaps?

@BrianGilbert
Copy link
Author

yes, configurable password expiry would work I think

@omega8cc
Copy link
Owner

omega8cc commented Dec 9, 2014

We could also add a switch to disable password access for accounts, if SSH keys are detected, because you need the password first anyway. It would be enough to use "passwd" command to restore password based access for an account temporarily, though.

@BrianGilbert
Copy link
Author

that would be great if there was a way to stop passwords being initally created (which was how it worked last time I installed using BOA)

@omega8cc omega8cc changed the title Is it possible to make boa install only allow key based login instead of setting up the sftp server? Make password expiration configurable + a switch to turn off password access if key is present Dec 9, 2014
@omega8cc
Copy link
Owner

omega8cc commented Dec 9, 2014

It never worked w/o passwords and you always need password access first for all non-root users.

@BrianGilbert
Copy link
Author

as an extra note, as the root user I been previously disabling password based login before I execute barracuda install, as well as adding keys for the aegir user (based on Barracuda install)

@omega8cc
Copy link
Owner

omega8cc commented Dec 9, 2014

We need an approach which is good for most users and not just for a specific use case.

@BrianGilbert
Copy link
Author

sure, I get that

@macmladen
Copy link

Disabling password access may be dangerous because sometimes firewall may prevent you to log in from machine having key and the only way to unblock is to log in from some other machine/IP and password.

The same problem may occur if your own machine becomes problematic, for instance the only place you had the key, have disk failure and your key is lost for good.

Some automatic procedure may even prevent any other access including root which can usually be reset with some provider control panel and leave you completely without administrative access.

I am not sure how can this be pulled safely and simple.

@omega8cc omega8cc modified the milestones: 2.4.1, 2.4.2 Jan 18, 2015
@omega8cc omega8cc modified the milestones: 2.4.2, 2.4.3 Feb 21, 2015
@omega8cc omega8cc modified the milestones: 2.4.3, 2.4.4 Apr 4, 2015
@omega8cc omega8cc modified the milestones: 2.4.5, 2.5.0 Jun 30, 2015
@omega8cc omega8cc added this to the 3.x.0 milestone Oct 17, 2015
@omega8cc omega8cc removed this from the 2.5.0 milestone Oct 17, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status - todo type - feature request
Projects
None yet
Milestone
4.x.0
Development

No branches or pull requests
3 participants
@BrianGilbert @omega8cc @macmladen