So, if I understand correctly, you're suggesting creating a separate user account and granting it the ability to log in via password. This seems like a feasible approach to avoid enabling root login while still maintaining emergency access under specific conditions.
I'm considering using the sshd_config's Match block for this purpose. Essentially, I could configure it to allow password authentication for this new user, but strictly limit this capability to connections from a certain internal network, enhancing security.
Would something like the following configuration be the right way to implement this idea?
Code:
Match User emergencyUser Address 192.168.1.0/24
PasswordAuthentication yes
This setup would mean `emergencyUser` can log in with a password only when connecting from the 192.168.1.0/24 subnet. Do you think this is a secure and effective method to achieve the emergency access we need, while keeping in line with best practices for a hardened Ubuntu setup?
I'm currently facing a challenge on systems running Ubuntu Pro that have been hardened following the CIS (Center for Internet Security) benchmarks at USG Server Level 1. After applying these hardening measures, I've run into an issue when attempting to assign or change passwords for users. Whenever I try to use the `passwd` command, I encounter the following errors:
Code:
passwd: Module is unknown
passwd: password unchanged
This seems to be a direct consequence of the CIS hardening process, possibly due to stricter PAM (Pluggable Authentication Modules) configurations or other security policies that have been put into place to strengthen the system's defenses.
Given the stringent security requirements we're adhering to, I'm looking for guidance on how to successfully assign or change user passwords under these conditions. Is there a recommended workaround or specific steps I should follow to manage user passwords without compromising the hardened security stance of the system?
I found this one:
https://ubuntuforums.org/showthread.php?t=1973164
But i cant figure out where is my issue located.
/etc/pam.d/common-password
Code:
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure yescrypt remember=5
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
password requisite pam_pwquality.so retry=3
I appreciate any insights or advice you can share. Thank you in advance for your time and help.
Best regards
Bookmarks