Is it safe to set password in /etc/passwd to * on Linux to prevent password login?
AFAIK, the second field of /etc/passwd can be
- x: password is in shadow
- hashed password
What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.
linux passwd
|
show 3 more comments
AFAIK, the second field of /etc/passwd can be
- x: password is in shadow
- hashed password
What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.
linux passwd
And why notpasswd -l
?
– Panki
Feb 28 at 7:38
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can usesudo
.
– Panki
Feb 28 at 7:42
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
What Unix are you running?
– Kusalananda
Feb 28 at 7:44
|
show 3 more comments
AFAIK, the second field of /etc/passwd can be
- x: password is in shadow
- hashed password
What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.
linux passwd
AFAIK, the second field of /etc/passwd can be
- x: password is in shadow
- hashed password
What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.
linux passwd
linux passwd
edited Feb 28 at 7:49
Magicloud
asked Feb 28 at 7:25
MagicloudMagicloud
253313
253313
And why notpasswd -l
?
– Panki
Feb 28 at 7:38
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can usesudo
.
– Panki
Feb 28 at 7:42
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
What Unix are you running?
– Kusalananda
Feb 28 at 7:44
|
show 3 more comments
And why notpasswd -l
?
– Panki
Feb 28 at 7:38
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can usesudo
.
– Panki
Feb 28 at 7:42
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
What Unix are you running?
– Kusalananda
Feb 28 at 7:44
And why not
passwd -l
?– Panki
Feb 28 at 7:38
And why not
passwd -l
?– Panki
Feb 28 at 7:38
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use
sudo
.– Panki
Feb 28 at 7:42
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use
sudo
.– Panki
Feb 28 at 7:42
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
What Unix are you running?
– Kusalananda
Feb 28 at 7:44
What Unix are you running?
– Kusalananda
Feb 28 at 7:44
|
show 3 more comments
1 Answer
1
active
oldest
votes
If /etc/shadow
exists, you should not be using the password hash field of the /etc/passwd
file. You should use the equivalent field in /etc/shadow
instead.
If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow
or in /etc/passwd
), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.
You should also know that the meaning of passwd -l
was changed.
Before August 2008, the passwd -l <username>
command was commonly equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>
In particular, the passwd
command in the shadow
source code package did exactly this.
On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.
The shadow
source code package was/is the upstream source of many distributions' passwd
commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.
Busybox's passwd
command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.
But if you find that running passwd -l <username>
also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:
echo "username:!" | chpasswd -e
This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.
A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u
. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
This looks distribution specific. I can confirm on Debian (Buster)passwd -l
does prepend a!
before before the hashed password in/etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian)password -l
does do more than simply lock password authentication.
– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page forpasswd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.
– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, andpasswd -l
does not disable SSH key authentication there. The intent of the change toshadow
suite'spasswd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster'spasswd -l
modify the account expiration field (= the one before the last colon) in/etc/shadow
?
– telcoM
Feb 28 at 12:04
Quoting from the manualman passwd
...This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this/var/log/auth.log
recordssshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
|
show 5 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503496%2fis-it-safe-to-set-password-in-etc-passwd-to-on-linux-to-prevent-password-logi%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If /etc/shadow
exists, you should not be using the password hash field of the /etc/passwd
file. You should use the equivalent field in /etc/shadow
instead.
If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow
or in /etc/passwd
), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.
You should also know that the meaning of passwd -l
was changed.
Before August 2008, the passwd -l <username>
command was commonly equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>
In particular, the passwd
command in the shadow
source code package did exactly this.
On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.
The shadow
source code package was/is the upstream source of many distributions' passwd
commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.
Busybox's passwd
command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.
But if you find that running passwd -l <username>
also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:
echo "username:!" | chpasswd -e
This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.
A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u
. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
This looks distribution specific. I can confirm on Debian (Buster)passwd -l
does prepend a!
before before the hashed password in/etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian)password -l
does do more than simply lock password authentication.
– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page forpasswd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.
– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, andpasswd -l
does not disable SSH key authentication there. The intent of the change toshadow
suite'spasswd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster'spasswd -l
modify the account expiration field (= the one before the last colon) in/etc/shadow
?
– telcoM
Feb 28 at 12:04
Quoting from the manualman passwd
...This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this/var/log/auth.log
recordssshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
|
show 5 more comments
If /etc/shadow
exists, you should not be using the password hash field of the /etc/passwd
file. You should use the equivalent field in /etc/shadow
instead.
If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow
or in /etc/passwd
), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.
You should also know that the meaning of passwd -l
was changed.
Before August 2008, the passwd -l <username>
command was commonly equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>
In particular, the passwd
command in the shadow
source code package did exactly this.
On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.
The shadow
source code package was/is the upstream source of many distributions' passwd
commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.
Busybox's passwd
command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.
But if you find that running passwd -l <username>
also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:
echo "username:!" | chpasswd -e
This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.
A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u
. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
This looks distribution specific. I can confirm on Debian (Buster)passwd -l
does prepend a!
before before the hashed password in/etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian)password -l
does do more than simply lock password authentication.
– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page forpasswd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.
– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, andpasswd -l
does not disable SSH key authentication there. The intent of the change toshadow
suite'spasswd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster'spasswd -l
modify the account expiration field (= the one before the last colon) in/etc/shadow
?
– telcoM
Feb 28 at 12:04
Quoting from the manualman passwd
...This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this/var/log/auth.log
recordssshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
|
show 5 more comments
If /etc/shadow
exists, you should not be using the password hash field of the /etc/passwd
file. You should use the equivalent field in /etc/shadow
instead.
If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow
or in /etc/passwd
), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.
You should also know that the meaning of passwd -l
was changed.
Before August 2008, the passwd -l <username>
command was commonly equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>
In particular, the passwd
command in the shadow
source code package did exactly this.
On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.
The shadow
source code package was/is the upstream source of many distributions' passwd
commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.
Busybox's passwd
command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.
But if you find that running passwd -l <username>
also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:
echo "username:!" | chpasswd -e
This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.
A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u
. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.
If /etc/shadow
exists, you should not be using the password hash field of the /etc/passwd
file. You should use the equivalent field in /etc/shadow
instead.
If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow
or in /etc/passwd
), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.
You should also know that the meaning of passwd -l
was changed.
Before August 2008, the passwd -l <username>
command was commonly equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>
In particular, the passwd
command in the shadow
source code package did exactly this.
On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:
OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.
The shadow
source code package was/is the upstream source of many distributions' passwd
commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.
Busybox's passwd
command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.
But if you find that running passwd -l <username>
also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:
echo "username:!" | chpasswd -e
This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.
A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u
. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.
edited Feb 28 at 12:11
answered Feb 28 at 8:55
telcoMtelcoM
19.6k12448
19.6k12448
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
This looks distribution specific. I can confirm on Debian (Buster)passwd -l
does prepend a!
before before the hashed password in/etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian)password -l
does do more than simply lock password authentication.
– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page forpasswd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.
– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, andpasswd -l
does not disable SSH key authentication there. The intent of the change toshadow
suite'spasswd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster'spasswd -l
modify the account expiration field (= the one before the last colon) in/etc/shadow
?
– telcoM
Feb 28 at 12:04
Quoting from the manualman passwd
...This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this/var/log/auth.log
recordssshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
|
show 5 more comments
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
This looks distribution specific. I can confirm on Debian (Buster)passwd -l
does prepend a!
before before the hashed password in/etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian)password -l
does do more than simply lock password authentication.
– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page forpasswd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.
– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, andpasswd -l
does not disable SSH key authentication there. The intent of the change toshadow
suite'spasswd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster'spasswd -l
modify the account expiration field (= the one before the last colon) in/etc/shadow
?
– telcoM
Feb 28 at 12:04
Quoting from the manualman passwd
...This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this/var/log/auth.log
recordssshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
Thanks. But seems like the "redefine" has not spreaded to distros using busybox.
– Magicloud
Feb 28 at 9:01
1
1
This looks distribution specific. I can confirm on Debian (Buster)
passwd -l
does prepend a !
before before the hashed password in /etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l
does do more than simply lock password authentication.– Philip Couling
Feb 28 at 10:24
This looks distribution specific. I can confirm on Debian (Buster)
passwd -l
does prepend a !
before before the hashed password in /etc/shadow
. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l
does do more than simply lock password authentication.– Philip Couling
Feb 28 at 10:24
Though ironically, even the debian man page for
passwd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.– Philip Couling
Feb 28 at 10:34
Though ironically, even the debian man page for
passwd
suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.– Philip Couling
Feb 28 at 10:34
@PhilipCouling: I just tested on Debian Stretch, and
passwd -l
does not disable SSH key authentication there. The intent of the change to shadow
suite's passwd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l
modify the account expiration field (= the one before the last colon) in /etc/shadow
?– telcoM
Feb 28 at 12:04
@PhilipCouling: I just tested on Debian Stretch, and
passwd -l
does not disable SSH key authentication there. The intent of the change to shadow
suite's passwd -l
was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l
modify the account expiration field (= the one before the last colon) in /etc/shadow
?– telcoM
Feb 28 at 12:04
Quoting from the manual
man passwd
... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this /var/log/auth.log
records sshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
Quoting from the manual
man passwd
... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password).
Tests confirm that's exactly what it does. After this /var/log/auth.log
records sshd[7786]: User rodger not allowed because account is locked
– Philip Couling
Feb 28 at 12:47
|
show 5 more comments
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503496%2fis-it-safe-to-set-password-in-etc-passwd-to-on-linux-to-prevent-password-logi%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
And why not
passwd -l
?– Panki
Feb 28 at 7:38
@Panki I still want the account to be usable, like ssh with cert.
– Magicloud
Feb 28 at 7:39
So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use
sudo
.– Panki
Feb 28 at 7:42
@Panki Disable the password usage of the account. Anything that requires its password.
– Magicloud
Feb 28 at 7:43
What Unix are you running?
– Kusalananda
Feb 28 at 7:44