Scripting an 'empty' password in /etc/shadow
Solution 1
To avoid problems with locking, or messing up your shadow file, you could conceivably use
echo username:some_string | chpasswd
More specifically: you could actually use the *
in the password field by doing this:
echo "username:*" | chpasswd -e
Solution 2
And yet another solution which doesn't involve a pipe is the following (also found in the shadow, resp. shadow-utils package):
usermod -p '*' username
Solution 3
Have you tried
passwd -d username
it deletes the password entry of the particular user from the /etc/shadow file
. Basically making the particular user login as empty password.
It can only be enforced as root or sudo user.
Solution 4
Well, I played around a bit more and I found that if I turn the password into *
in /etc/shadow
, it allows SSH but disables password logins on the TTY. So I'll add this as an answer to my own question.
This has been added to my script after the useradd
call:
cp /etc/shadow /etc/shadow.backup
sed -e "s/^\(${username}:\)[^:]*:/\1*:/" /etc/shadow.backup > /etc/shadow
It replaces a specific user's shadow password entry with a *
.
Related videos on Youtube
Comments
-
paddy over 1 year
I've written a script to add CVS and SVN users on a Linux server (Slackware 14.0). This script creates the user if necessary, and either copies the user's SSH key from an existing shell account or generates a new SSH key.
Just to be clear, the accounts are specifically for SVN or CVS. So the entry in
/home/${username}/.ssh/authorized_keys
begins with (using CVS as an example):command="/usr/bin/cvs server",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ....etc...etc...etc...
Actual shell access will never be allowed for these users - they are purely there to provide access to our source repositories via SSH.
My problem is that when I add a new user, they get an empty password in
/etc/shadow
by default. It looks like:paddycvs:!:15679:0:99999:7:::
If I leave the shadow file as is (with the
!
), SSH authentication fails. To enable SSH, I must first runpasswd
for the new user and enter something.I have two issues with doing that. First, it requires user input which I can't allow in this script. Second, it potentially allows the user to login at the physical terminal (if they have physical access, which they might, and know the secret password -- okay, so that's unlikely).
The way I normally prevent users from logging in is to set their shell to
/bin/false
, but if I do that then SSH doesn't work either!Does anyone have a suggestion for scripting this? Should I simply use
sed
or something and replace the relevant line in the shadow file with a preset encrypted secret password string? Or is there a better way?Cheers =)
-
paddy over 11 yearsThank you, that's just what I was looking for. Much cleaner than my hack with
sed
, and obviously more robust.