I am configuring the ssh server on my raspberry pi so that it only supports key-based authentication.
I have created a user on the server and set up the ~/.ssh directory with my public key and correct permissions.
The user is currently marked as 'locked' because it does not have a password. This causes openssh to refuse the connection.
# /var/log/auth.log
Aug 9 09:05:26 raspberrypi sshd[6875]: User foo not allowed because account is locked
Aug 9 09:05:26 raspberrypi sshd[6875]: input_userauth_request: invalid user foo [preauth]
Aug 9 09:05:26 raspberrypi sshd[6875]: Connection closed by 192.168.0.4 [preauth]
Ideally, I don't want a password. I have already authenticated via PKI.
Perhaps I could set the password to 'password', or a random string - but that seems messy.
Any recommendations?
EDIT:
Just to clarify, my account is locked because it doesn't have a password, i.e.
$ passwd -u foo
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.
Petesh solution is correct:
usermod -p '*' foo
From the man page for shadow:
"If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means)."
No, it's telling you the account is locked, not that it doesn't have a password. You lock and account to prevent people from logging in using that account; even via SSH. You generally can only switch to a locked account using su or sudo.
The rules are described in the shadow manual page which says:
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
The logic is * will never match a password, but doesn't mean locked, while ! means locked.
This encrypted password is stored, generally, in the shadow file and can be changed using the passwd command or the usermod command. If you wish to change the password to one that doesn't work, then you can change to one starting with *, which will never match a password, so, for example, using the usermod command:
bubble ~ [2]> sudo usermod -L freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:!*:16197:0:99999:7:::
This is a locked freerad account. ssh should prevent you from logging in using that account even if you use public/private key pairs.
bubble ~> sudo usermod -p '*' freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:*:16291:0:99999:7:::
This freerad account has a never-matchable password. The account is not locked, but if you were to login using ssh public/private keys it would not prevent you from logging in.
Try unlocking it with
passwd -u foo
Being locked and not having a password are two different things.
Related
I am building a yocto image and I do not want anyone being able to login as root in it. I do not wish to remove the account but here is what I want to accomplish.
I want to disable root account access from terminal as well as ssh or create a password that will never validate.
I want to make all files root owner and set them to 700 permissions.
Add these lines to your image recipe.
inherit extrausers
EXTRA_USERS_PARAMS = "usermod -L -e 1 root; "
This locks the password and expires the account. Make sure you don't have debug-tweaks or empty-root-password in your IMAGE_FEATURES.
$ man usermod
...
-e, --expiredate EXPIRE_DATE
The date on which the user account will be disabled. The date is
specified in the format YYYY-MM-DD.
An empty EXPIRE_DATE argument will disable the expiration of the
account.
This option requires a /etc/shadow file. A /etc/shadow entry will
be created if there were none.
...
-L, --lock
Lock a user's password. This puts a '!' in front of the encrypted
password, effectively disabling the password. You can't use this
option with -p or -U.
Note: if you wish to lock the account (not only access with a
password), you should also set the EXPIRE_DATE to 1.
Checked:
Login with ssh is not possible, even though PermitRootLogin yes is set in /etc/ssh/sshd_config
$ su - root is not possible, even though the login shell in /etc/passwd still points to /bin/bash instead of /sbin/nologin
Login to ftp server via root is not possible
Not Checked:
I did not check what happens if we add systemd.unit=rescue.target or systemd.unit=emergency.target to the kernel commandline.
... ?
For example I have one user named user1 on my linux server, with password p1. Then I set up a ldap server and add user1 with password p2. Turns out now I can login as user1 with both p1 and p2. How can I disable p1?
passwd -l user
That will lock the user account as you are using LDAP authentication you not need user on server. And passwd -u user will undo this
Alternatively, you can accomplish the same thing by prepending a ! to the user's password in /etc/shadow (this is all passwd -l does behind the scenes).
I have user on my linux machine. The user logs in using an ssh key. User does not have a password. I want to create a password for this user, as password is required to access an application (R-studio server) I am trying to run.
To create password for your user, your can use: sudo passwd yourUser
As per requirement:- ssh -t udayan#udayan_maurya_machine passwd
you can give password at the time of login into machine via ssh
One of our user is on leave for few days
and I want to stop him accessing the systems for these days ..
should I
Add * to his encrypted password
or delete the user from etc /password file
or Remove the user encrypted password
or rename username to root
or set his userID to -1
Which option should i go for out of the above
It's for an access to a Linux system (Ubuntu). Not sure where you found those listed options, but in general try to use the system's tools to manage the system.
Simply lock the account:
sudo passwd -l [user_name]
Alternatively you can put an expire date on the account:
sudo passwd -e YYYY-MM-DD [user_name]
To unlock a locked account:
sudo passwd -u [username]
I want to have a database user on my RHEL6 server. Since a DB user is just a DB user, I don't want that user be able to login to shell. I know I can define the user as nologin but this way the user won't be able to change his/her password either.
So how can I prevent user to login, in the same time allowing his/her to change password?
Use IPA for centralized user management. It allows users to change passwords even if they cannot login.
I have figured out a quick and dirty way to do it.
First, user should have right to login.
Then, run these commands:
$ sudo useradd -m -d /home/username -s /bin/bash -c "login is forbidden for this user" username -N -g users
$ chown root:users /home/username
$ chmod 555 /home/username
$ echo "trap '' 2" >> /home/username/.bash_profile
$ echo "passwd" >> /home/username/.bash_profile
$ echo "logout" >> /home/username/.bash_profile
$ passwd username
Now the user 'username' can login to change the password. Then logs out right after changing the password. He/she can't do anything other than changing his/her password.
CTRL+C is also blocked.