How can I make a user able to log in with ssh keys but not with a password?
Solution 1
Use of passwd -d
is plain wrong , at least on Fedora, on any linux distro based on shadow-utils. If you remove the password with passwd -d
, it means anyone can login to that user (on console or graphical) providing no password.
In order to block logins with password authentication, run passwd -l username
, which locks the account making it available to the root user only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !).
Any login attempt, local or remote, will result in an "incorrect password", while public key login will still be working. The account can then be unlocked with passwd -u username
.
If you want to completely lock an account without deleting it, edit /etc/passwd
and set /sbin/nologin
or /bin/false
in the last field. The former will result in "This account is currently not available." for any login attempt.
Please refer to passwd(1)
man page.
Solution 2
Are not you asking specific to SSH daemon, not to accept the password based authentication but the key/passphrase authentication?
Look for changes to sshd_config
.
Set
PasswordAuthentication No
PreferredAuthentications publickey,hostbased,keyboard-interactive
Protocol 2,1
Look for more config parameters at man ssh_config
Related videos on Youtube
Jeff Schaller
Unix Systems administrator http://www.catb.org/esr/faqs/smart-questions.html http://unix.stackexchange.com/help/how-to-ask http://sscce.org/ http://stackoverflow.com/help/mcve
Updated on September 17, 2022Comments
-
Jeff Schaller over 1 year
I would like to create a user and have no password. As in you can't log in with a password. I want to add keys to its authorized_keys by using root. This is for my automated backup system.
-
Gilles 'SO- stop being evil' over 13 yearsAs pointed out by guido,
passwd -d
makes the account passwordless, as in, you can log in without having to type a password. Usepasswd -l
to lock the account (think of it as giving an impossible-to-type password). -
Gilles 'SO- stop being evil' over 13 yearsI've added a warning to your post, because it is dangerous as it stands. I'll leave it up to you to decide whether to fix your answer, or delete your answer (if you think guido's is sufficient), or refute the warning.
-
Gilles 'SO- stop being evil' over 13 years@guido: rvs won't be notified of your answer. You would need to add a comment to his answer for that (I've done it). Note that readers may read your answer before his, you should write answers that respond directly to the question. Well done for pointing this one out! It applies to most Linux distributions (the ones using the Linux shadow utilities).
-
Pavan Kumar over 13 years@Gilles: sorry i am new to stackexchange; i only pointed out this one a bit hardly because it was like suggesting users to setup passwordless accounts, and it was accepted and marked as useful...
-
Gilles 'SO- stop being evil' over 13 years@guido: No worries, I was just explaining how to make your warning more effective. In fact, in such extreme cases where an answer is dangerously wrong, it would be appropriate to suggest an edit adding a warning or correction (hopefully you won't encounter these situations too often on the site).
-
mivk over 13 years@mathepic: It does work, on debian. Exactly the way i asked
-
Admin over 13 years@guido: Actually, on debian Squeeze (i dont know about lenny or etch) that answer DOES work. It doesnt allow anyone but root to log in, allows authorize keys but it isnt password less, it just accepts no password. I was surpised you could 'delete the password' and that it would work this way. But it did exactly what i wanted and exactly what this answer does and was the only answer so i just accepted it. This answer makes more sense and i'll accept it because i'm willing to bet other distos does allow anyone to login bc its passwordless unlike debian. Anyways good answer.
-
mattdm over 13 years@acidzombie: many programs, like SSH, have an option to disallow empty passwords. But not every program does. (It's possible that Debian has patched/configured every program they ship to behave this way, but I doubt it.)
-
mattdm over 13 yearsare you sure that a non-privileged user can't
su
to the user? -
Admin over 13 years@mattdm: interesting, i doubt that too. I tested by trying to log in via ssh, then i logged in as a nonroot user and used su which didnt work. su with root obviously did. I only know of two two ways to log in as a user.
-
Admin over 13 years@guido: and thats why i like this answer :)
-
Pavel Šimerda over 9 yearsUnfortunately
passwd -u user
refuses to work for the very same reason thatpasswd -d
is wrong. Tested on Gentoo. -
Pavel Šimerda over 9 years
passwd: unlocking the password would result in a passwordless account.
–You should set a password with usermod -p to unlock the password of this account.
– Therefore at least on some systems (checked with Gentoo) this is not applicable. On others it may behave likepasswd -d
which is not desirable. To be honest, have yet to see a system where it works and does a different thing. -
Pavan Kumar over 9 years@PavelŠimerda ???
passwd -u
is the opposite ofpasswd -l
, which, end of the day, is removing or adding a!
character in the password field. afaik it would complain about passwordless only if the password was already empty before locking. -
Pavel Šimerda over 9 yearsYou can ask questions with a single question mark at the end of the sentence. Of course it is the opposite. In the test above there is no password set, the account is locked since it was created. And this account cannot be unlocked by
passwd -u
. -
Pavan Kumar over 9 years@PavelŠimerda ok, I certainly see your point now; it has no direct relation with what was asked here and my answer tough, so let me suggest to ask a new question if you need further clarifications about passwd usage.