Recovering AWS instance that is prompting for password (happens when using SSH Key only logins)

Part of this is directly cribbed from AWS Docs!

Symptoms:

Password change required but no TTY available.

WARNING: Your password has expired

Logging in with SSH but getting prompted to change your password for cloud-user, and those are random to begin with, so can’t change it cuz you don’t know it

Problem:

cloud-user account password has expired. account expiry has nothing to do with ssh key validity, as shown by getting connected and then getting the change password prompt (you’re already in via SSH, but PAM kicks in to force the password change)

Fix:

Stop the instance (sorry)(do not terminate!)

Copy out user data

Replace user-data with this:

Content-Type: multipart/mixed; boundary=”//”

MIME-Version: 1.0

Content-Type: text/cloud-config; charset=”us-ascii”

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename=”cloud-config.txt”

#cloud-config

cloud_final_modules:

– [scripts-user, always]

Content-Type: text/x-shellscript; charset=”us-ascii”

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename=”userdata.txt”

#!/bin/bash

/usr/bin/chage -d 65535 cloud-user

start the instance again

WAIT AT LEAST ONE MINUTE!!

User data happens async from when the box starts up, so sit tight a minute or two.

SSH login should now work

Do you need to put your user data back?

You have to stop the instance to replace the user-data section, and it will fire again on startup. Decide if this is what you need, or leave it as is, or stop it and blank out user data.

If you replace your user-data to what it was before, add this section to prevent this from recurring:

# Fix the cloud-user password age issue

sed -i.bak -e ‘/Defaults.*requiretty/s/^/#/’ /etc/sudoers

chage -d 65535 cloud-user

Leave a Reply

Your email address will not be published. Required fields are marked *