useradd, but not set password

deanhiller · #1 8th February 2006, 10:22 AM

what happens in linux if I run the useradd command but I never set the password. ie. I don't specify it when adding the user and don't run the passwd command to add it. Is the password disabled then such that it cannot be used to ssh in to the box? This is exactly what I want, but would like to know if this is true.

Also, still waiting on that other post. Is there no way to send mail if someone tries to login to ssh and uses the wrong user and/or password?

thanks,
dean

reddazz · #2 9th February 2006, 03:58 AM

If you don't set a password, then the user won't be able to login to the system. If you want to use ssh without entering your password, there are articles on the net that show how to do this. Just search for "ssh+no+password".

***Firewing1*** · #3 9th February 2006, 04:04 AM

If you want to set a default password for them, then type

Code:

su -
passwd user

Enjoy.
BTW, personally I like to set their default passwd to their real name (not unix username) but make it leet. EG, "d34nh1113r". hard to crack by brute force.
Firewing1

deanhiller · #4 9th February 2006, 10:11 AM

raddazz, are you 100% sure????? I have not set the password for the user and can still login with that user name using a certificate and no password since ssh skips the password prompt step when using client certificates. If I don't set the user password, does this mean there is not a password at all for the user on linux?

firewing, thanks for the info. I actually know how to set the password. thanks for the info though.

Lastly, I want a computer where every user except one user can only use certificates. All the info on the internet points to forcing all users to use certificates. I want to do all users except one user.

thanks for the info guys,
dean

foobar47 · #5 9th February 2006, 01:27 PM

Quote:

Originally Posted by deanhiller

I have not set the password for the user and can still login with that user name using a certificate and no password since ssh skips the password prompt step when using client certificates. If I don't set the user password, does this mean there is not a password at all for the user on linux?

Of course, you use certificates...

If you don't put any password to the user, it won't be able to connect either on SSH or on system at all !
You can if you put su from root shell...

Quote:

Lastly, I want a computer where every user except one user can only use certificates. All the info on the internet points to forcing all users to use certificates. I want to do all users except one user.

Use a certificate for all user and restrict ssh access to this user.
Look at the 'AllowUsers' directive in sshd_config. You can use something to
the like of 'AllowUsers root at 10.0.0.1 root at 10.0.0.1 etc'. You can also use
wildcards in the fields.

Quote:

Deny/All specific users

By default any user that can have an interactive login (a shell) will be allowed to SSH. All typical user accounts and some system accounts fall in this catagory. Typically all users do not need SSH access and daemon/system accounts with shells should typically not be allows to SSH.

To restrict the SSH access to set users you can either Allow everyone and deny the specific account or deny all and allow only specific accounts. This can be done per user or per group

The following changes can be made to the default config to restrict user access.

* AllowUsers: a list of allowed users seperated by spaces (example: AllowUsers bob mary joe
* AllowGroups: a list of allowed user groups seperated by spaces (example: AllowGroups admins webadmins
* DenyUsers: a list of denied users seperated by spaces (example: DenyUsers oracle
* DenyGroups: a list of denied user groups seperated by spaces (example: DenyGroups users

Any of the above settings can be made more advanced by restricting them to certain hosts or by using wildcards. (example: AllowUsers oracle@*.ku.edu restricting logins to the Oracle account to particular that particular user from a computer with an on campus DNS name.

Quote:

Also, still waiting on that other post. Is there no way to send mail if someone tries to login to ssh and uses the wrong user and/or password

This is done by LogWatch... Something like that :

Quote:

--------------------- SSHD Begin ------------------------

Users logging in through sshd:
root:
my-machine.mydomain.com (256.256.256.256): 1 time

---------------------- SSHD End -------------------------

It send you user which can log and who can't...

deanhiller · #6 9th February 2006, 02:09 PM

your rock!!! thanks much for the info. yes, I should definitely turn off shell access for these users. They are ssh only.

foobar47 · #7 9th February 2006, 02:27 PM

you're welcome