Search code examples
linuxunixsshpublic-key-encryptionopenssh

Why must a UNIX user have a password?

I am configuring the ssh server on my raspberry pi so that it only supports key-based authentication.

I have created a user on the server and set up the ~/.ssh directory with my public key and correct permissions.

The user is currently marked as 'locked' because it does not have a password. This causes openssh to refuse the connection.

# /var/log/auth.log

Aug  9 09:05:26 raspberrypi sshd[6875]: User foo not allowed because account is locked
Aug  9 09:05:26 raspberrypi sshd[6875]: input_userauth_request: invalid user foo [preauth]
Aug  9 09:05:26 raspberrypi sshd[6875]: Connection closed by 192.168.0.4 [preauth]

Ideally, I don't want a password. I have already authenticated via PKI.

Perhaps I could set the password to 'password', or a random string - but that seems messy.

Any recommendations?

EDIT:

Just to clarify, my account is locked because it doesn't have a password, i.e.

$ passwd -u foo
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.

Petesh solution is correct:

usermod -p '*' foo

From the man page for shadow:

"If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means)."

Solution

  • No, it's telling you the account is locked, not that it doesn't have a password. You lock and account to prevent people from logging in using that account; even via SSH. You generally can only switch to a locked account using su or sudo.

    The rules are described in the shadow manual page which says:

    If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

    The logic is * will never match a password, but doesn't mean locked, while ! means locked.

    This encrypted password is stored, generally, in the shadow file and can be changed using the passwd command or the usermod command. If you wish to change the password to one that doesn't work, then you can change to one starting with *, which will never match a password, so, for example, using the usermod command:

    bubble ~ [2]> sudo usermod -L freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:!*:16197:0:99999:7:::

    This is a locked freerad account. ssh should prevent you from logging in using that account even if you use public/private key pairs.

    bubble ~> sudo usermod -p '*' freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:*:16291:0:99999:7:::

    This freerad account has a never-matchable password. The account is not locked, but if you were to login using ssh public/private keys it would not prevent you from logging in.