I have user on my linux machine. The user logs in using an ssh key. User does not have a password. I want to create a password for this user, as password is required to access an application (R-studio server) I am trying to run.
To create password for your user, your can use: sudo passwd yourUser
As per requirement:- ssh -t udayan#udayan_maurya_machine passwd
you can give password at the time of login into machine via ssh
Related
I wanted to create a new user on my linux server so that he can access my postgres database through an ssh tunnel. However, I want him to restrict his access only to the ssh tunnel.
I followed these steps:
login on server as root
Create a new user with useradd new_user -M -s /bin/true
Set a password with passwd new_user
make sure that PasswordAuthentication yes is set and uncomment in /etc/ssh/sshd_config
Restart ssh with sudo systemctl reload sshd
Logout from server and login to server with new user with ssh -p 7822 new_user#my_address.com -N 5433:localhost:5432 (I am using a2hosting as a provider, where I need to use port 7822 for ssh)
However, when I try to login I get the error
Permission denied, please try again.
When I do everything like above but change step 2 into
useradd new_user -m -d /home/new_user
I can successfully login with the new user, however, I then have the possibility to actually access command line, which I try to avoid. What am I doing wrong here?
It could be that /bin/true is not available on the system. As an alternative, use the alternate /bin/false.
Both perform the same function but /bin/false tends to be used more.
For example I have one user named user1 on my linux server, with password p1. Then I set up a ldap server and add user1 with password p2. Turns out now I can login as user1 with both p1 and p2. How can I disable p1?
passwd -l user
That will lock the user account as you are using LDAP authentication you not need user on server. And passwd -u user will undo this
Alternatively, you can accomplish the same thing by prepending a ! to the user's password in /etc/shadow (this is all passwd -l does behind the scenes).
Let's say I have two unix machines, shell1 and shell2 and I want to connect automatically without password from user1#shell1 to user2#shell2.
So I execute ssh-copy-id -i /home/user1/.ssh/id_rsa.pub user2#shell2, confirm host adding and insert user2 of shell2 password and I have automatic ssh login. Good!
But my question is: what happens if user2#shell2 changes password? Will the automatic login behave as before or will I have to register again user1#shell1 against user2#shell2?
SSH public/private key authentication is independent of passwords you set.
The key stored(as authorized keys) on the machine you want to connect matches with the private key of the user trying to connect.
for example.
#!/bin/bash
#here the user is ubuntu
mkdir -p /home/ubuntu/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBR1l4eRUrSK4YPruFtV0Z5rVYCeZN/aTv69fWScP1PHTRHc0hlK2NL97RmDQq6oCgkUibbBWdKx+jfjlu2UxNhWOTIeW3SIiVxLyRZTWBcwyaUfn2LOQO6DVuUfc+D2crBCRCI61xUHHx8ObamhW8FjWWugbBa2bdP8JcMu4H/jr+nOVfRE99n/FLUdDoiClDQpJOh1YzNwbHNZdkxrEaTuLbPF+81fGcR3OtSvacJBtldCjjtwnuB/eZ1vMzaa0IiW629amKnEhuhM3wCl8OEX8v++c8ifmxEPmuoVqbg2i1ePPVMJ/zbWerhkAFz4xvYhXCJ0DgLx52MtBw3C2f niks#ubuntu' >> /home/ubuntu/.ssh/authorized_keys
chown ubuntu.ubuntu /home/ubuntu/.ssh
chown ubuntu.ubuntu /home/ubuntu/.ssh/authorized_keys
chmod go-rwx /home/ubuntu/.ssh
chmod go-rwx /home/ubuntu/.ssh/authorized_keys
This script using your own key and your machine will be ready to connect via ssh.
i need to make passwordless login for same linux server with same user.
[airwide#eir ~]$ hostname -i
10.3.7.73
[airwide#eir ~]$ ssh airwide#10.3.7.73
airwide#10.3.7.73's password:
how can make to passwordless for same server?
Password-free login via SSH is managed using SSH keys. You can generate a keypair using the command ssh-keygen. The ssh keypair is usually stored in ~/.ssh in a pair of files named id_rsa and id_rsa.pub. When you use SSH to connect to a server, the SSH command will look for a private key in ~/.ssh/id_rsa, and will attempt to authenticate using that key. In order to authorize the key, you will need to place the public key into your authorized_keys file:
`cat ~/./ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
Once you've done that, you will be able to use SSH to connect without a password from the server where the id_rsa file is to the server that has the content of id_rsa.pub in its authorized_keys file. (You can do this for same-server, as in your question, or between multiple servers. Either way, it's the same process.)
Add server's private key in known host key under .ssh folder.
You are looking for ssh keys. You can create one by entering ssh-keygen. This wil create a public key and a private key. You place the public key on the remote server, and then you can use SSH without a password.
More details, and howto:
https://wiki.archlinux.org/index.php/SSH_keys
I am configuring the ssh server on my raspberry pi so that it only supports key-based authentication.
I have created a user on the server and set up the ~/.ssh directory with my public key and correct permissions.
The user is currently marked as 'locked' because it does not have a password. This causes openssh to refuse the connection.
# /var/log/auth.log
Aug 9 09:05:26 raspberrypi sshd[6875]: User foo not allowed because account is locked
Aug 9 09:05:26 raspberrypi sshd[6875]: input_userauth_request: invalid user foo [preauth]
Aug 9 09:05:26 raspberrypi sshd[6875]: Connection closed by 192.168.0.4 [preauth]
Ideally, I don't want a password. I have already authenticated via PKI.
Perhaps I could set the password to 'password', or a random string - but that seems messy.
Any recommendations?
EDIT:
Just to clarify, my account is locked because it doesn't have a password, i.e.
$ passwd -u foo
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.
Petesh solution is correct:
usermod -p '*' foo
From the man page for shadow:
"If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means)."
No, it's telling you the account is locked, not that it doesn't have a password. You lock and account to prevent people from logging in using that account; even via SSH. You generally can only switch to a locked account using su or sudo.
The rules are described in the shadow manual page which says:
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
The logic is * will never match a password, but doesn't mean locked, while ! means locked.
This encrypted password is stored, generally, in the shadow file and can be changed using the passwd command or the usermod command. If you wish to change the password to one that doesn't work, then you can change to one starting with *, which will never match a password, so, for example, using the usermod command:
bubble ~ [2]> sudo usermod -L freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:!*:16197:0:99999:7:::
This is a locked freerad account. ssh should prevent you from logging in using that account even if you use public/private key pairs.
bubble ~> sudo usermod -p '*' freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:*:16291:0:99999:7:::
This freerad account has a never-matchable password. The account is not locked, but if you were to login using ssh public/private keys it would not prevent you from logging in.
Try unlocking it with
passwd -u foo
Being locked and not having a password are two different things.