Due to CIS 5.4.1.1, the Salt Master node password expiration is set to maximum
90 days with a subsequent access lock if the password is not updated. As a
result, if the user does not update the password, even if
PasswordAuthentication
is disabled, access to the Salt Master node may be
lost. Perform the following steps to either disable CIS 5.4.1.1 or update the
time stamp of the last password change.
To modify the Salt Master node password expiration:
For MCP versions before the 2019.2.6 maintenance update, disable CIS 5.4.1.1:
Log in to the Salt Master node.
Choose from the following options:
Disable CIS 5.4.1.1 on all nodes for all users:
salt '*' cmd.run "getent passwd|awk -F':' '{print \$1}'|xargs -I{} chage -M 99999 -m 7 {}"
Disable CIS 5.4.1.1 for a particular user:
salt '*' cmd.run "chage -M 99999 -m 7 <account>"
Run chage -l <account>
to verify that Password expires
is set to
never
and Maximum number of days between password change
is set to
99999
. For example:
chage -l <account>
Last password change : Jan 29, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
For MCP versions starting from the 2019.2.6 maintenance update, update the time stamp of the last password change using the helper function. The helper does not update the password itself. Update the time stamp using the helper function every 30 days or set a cron job to update the time stamp automatically.
Log in to the Salt Master node.
Choose from the following options:
Update the time stamp of the last password change for all users:
salt '*' sharedlib.call cis.fix_last_password_change
Update the time stamp of the last password change for particular users:
salt '*' sharedlib.call cis.fix_last_password_change <account1> [<account2>]
Run chage -l <account>
to verify that Last password change
is set
to the current date and Password expires
is set to the date 90 days
after the current one. For example:
chage -l <account>
Last password change : Jan 29, 2020
Password expires : Apr 28, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Optional. Set a cron job to automatically update the time stamp every 30 days:
Run crontab -e
.
Schedule the cron job:
0 1 1 * * salt '*' sharedlib.call cis.fix_last_password_change <account1>