The Debian documentation at https://wiki.debian.org/SystemGroups says:
sync: The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have don't have an account.
I want to follow that advice. But it is not easy to allow an empty-password login for a particular user.
I guess I would have to re-configure PAM somehow to allow this.
What is the least intrusive way to do this?
I do not want to allow empty passwords for all users, just for this particular user.
I also would prefer to add an additional "plug-in" configuration files to /etc/pam.d/ rather than modifying an existing file there (which might create trouble for future updates).
Is this possible? And if, how?
the easiest way is probably to directly edit your password-file:
# vipw -s
(this will open the shadow file (-s) with the "password editor" (vipw).
sync:*:12345:0:99999:7:::*) in the line is the actual password (* being an illegal password, so the account is actually locked; if you have set a real password, you will see some hash value)sync::12345:0:99999:7:::
(so there is nothing between the 1st and the 2nd : colon); keep the rest of the line intact)now you are done. test by logging in as user sync.
# login -f sync
otoh, I'm not really sure whether this is really what you want (as it requires physicial access to the computer to login as the sync user. ssh will prohibit empty passwords,...)