Is it safe to set password in /etc/passwd to * on Linux to prevent password login?












1















AFAIK, the second field of /etc/passwd can be




  • x: password is in shadow

  • hashed password


What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.










share|improve this question

























  • And why not passwd -l?

    – Panki
    Feb 28 at 7:38











  • @Panki I still want the account to be usable, like ssh with cert.

    – Magicloud
    Feb 28 at 7:39











  • So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

    – Panki
    Feb 28 at 7:42













  • @Panki Disable the password usage of the account. Anything that requires its password.

    – Magicloud
    Feb 28 at 7:43











  • What Unix are you running?

    – Kusalananda
    Feb 28 at 7:44
















1















AFAIK, the second field of /etc/passwd can be




  • x: password is in shadow

  • hashed password


What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.










share|improve this question

























  • And why not passwd -l?

    – Panki
    Feb 28 at 7:38











  • @Panki I still want the account to be usable, like ssh with cert.

    – Magicloud
    Feb 28 at 7:39











  • So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

    – Panki
    Feb 28 at 7:42













  • @Panki Disable the password usage of the account. Anything that requires its password.

    – Magicloud
    Feb 28 at 7:43











  • What Unix are you running?

    – Kusalananda
    Feb 28 at 7:44














1












1








1








AFAIK, the second field of /etc/passwd can be




  • x: password is in shadow

  • hashed password


What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.










share|improve this question
















AFAIK, the second field of /etc/passwd can be




  • x: password is in shadow

  • hashed password


What if I put a string less than 8 chars in the field? I do not want anyone to use password on this account.







linux passwd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 28 at 7:49







Magicloud

















asked Feb 28 at 7:25









MagicloudMagicloud

253313




253313













  • And why not passwd -l?

    – Panki
    Feb 28 at 7:38











  • @Panki I still want the account to be usable, like ssh with cert.

    – Magicloud
    Feb 28 at 7:39











  • So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

    – Panki
    Feb 28 at 7:42













  • @Panki Disable the password usage of the account. Anything that requires its password.

    – Magicloud
    Feb 28 at 7:43











  • What Unix are you running?

    – Kusalananda
    Feb 28 at 7:44



















  • And why not passwd -l?

    – Panki
    Feb 28 at 7:38











  • @Panki I still want the account to be usable, like ssh with cert.

    – Magicloud
    Feb 28 at 7:39











  • So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

    – Panki
    Feb 28 at 7:42













  • @Panki Disable the password usage of the account. Anything that requires its password.

    – Magicloud
    Feb 28 at 7:43











  • What Unix are you running?

    – Kusalananda
    Feb 28 at 7:44

















And why not passwd -l?

– Panki
Feb 28 at 7:38





And why not passwd -l?

– Panki
Feb 28 at 7:38













@Panki I still want the account to be usable, like ssh with cert.

– Magicloud
Feb 28 at 7:39





@Panki I still want the account to be usable, like ssh with cert.

– Magicloud
Feb 28 at 7:39













So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

– Panki
Feb 28 at 7:42







So what do you want to do exactly? Only disable a user from logging in via SSH with a password? Or do you want this for all users? The password might be important so the user can use sudo.

– Panki
Feb 28 at 7:42















@Panki Disable the password usage of the account. Anything that requires its password.

– Magicloud
Feb 28 at 7:43





@Panki Disable the password usage of the account. Anything that requires its password.

– Magicloud
Feb 28 at 7:43













What Unix are you running?

– Kusalananda
Feb 28 at 7:44





What Unix are you running?

– Kusalananda
Feb 28 at 7:44










1 Answer
1






active

oldest

votes


















3














If /etc/shadow exists, you should not be using the password hash field of the /etc/passwd file. You should use the equivalent field in /etc/shadow instead.



If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow or in /etc/passwd), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.



You should also know that the meaning of passwd -l was changed.



Before August 2008, the passwd -l <username> command was commonly equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>


In particular, the passwd command in the shadow source code package did exactly this.



On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e


So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.



The shadow source code package was/is the upstream source of many distributions' passwd commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.



Busybox's passwd command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.



But if you find that running passwd -l <username> also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:



echo "username:!" | chpasswd -e


This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.



A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.






share|improve this answer


























  • Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

    – Magicloud
    Feb 28 at 9:01






  • 1





    This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

    – Philip Couling
    Feb 28 at 10:24













  • Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

    – Philip Couling
    Feb 28 at 10:34













  • @PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

    – telcoM
    Feb 28 at 12:04













  • Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

    – Philip Couling
    Feb 28 at 12:47













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503496%2fis-it-safe-to-set-password-in-etc-passwd-to-on-linux-to-prevent-password-logi%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














If /etc/shadow exists, you should not be using the password hash field of the /etc/passwd file. You should use the equivalent field in /etc/shadow instead.



If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow or in /etc/passwd), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.



You should also know that the meaning of passwd -l was changed.



Before August 2008, the passwd -l <username> command was commonly equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>


In particular, the passwd command in the shadow source code package did exactly this.



On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e


So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.



The shadow source code package was/is the upstream source of many distributions' passwd commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.



Busybox's passwd command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.



But if you find that running passwd -l <username> also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:



echo "username:!" | chpasswd -e


This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.



A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.






share|improve this answer


























  • Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

    – Magicloud
    Feb 28 at 9:01






  • 1





    This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

    – Philip Couling
    Feb 28 at 10:24













  • Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

    – Philip Couling
    Feb 28 at 10:34













  • @PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

    – telcoM
    Feb 28 at 12:04













  • Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

    – Philip Couling
    Feb 28 at 12:47


















3














If /etc/shadow exists, you should not be using the password hash field of the /etc/passwd file. You should use the equivalent field in /etc/shadow instead.



If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow or in /etc/passwd), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.



You should also know that the meaning of passwd -l was changed.



Before August 2008, the passwd -l <username> command was commonly equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>


In particular, the passwd command in the shadow source code package did exactly this.



On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e


So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.



The shadow source code package was/is the upstream source of many distributions' passwd commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.



Busybox's passwd command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.



But if you find that running passwd -l <username> also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:



echo "username:!" | chpasswd -e


This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.



A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.






share|improve this answer


























  • Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

    – Magicloud
    Feb 28 at 9:01






  • 1





    This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

    – Philip Couling
    Feb 28 at 10:24













  • Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

    – Philip Couling
    Feb 28 at 10:34













  • @PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

    – telcoM
    Feb 28 at 12:04













  • Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

    – Philip Couling
    Feb 28 at 12:47
















3












3








3







If /etc/shadow exists, you should not be using the password hash field of the /etc/passwd file. You should use the equivalent field in /etc/shadow instead.



If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow or in /etc/passwd), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.



You should also know that the meaning of passwd -l was changed.



Before August 2008, the passwd -l <username> command was commonly equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>


In particular, the passwd command in the shadow source code package did exactly this.



On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e


So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.



The shadow source code package was/is the upstream source of many distributions' passwd commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.



Busybox's passwd command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.



But if you find that running passwd -l <username> also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:



echo "username:!" | chpasswd -e


This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.



A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.






share|improve this answer















If /etc/shadow exists, you should not be using the password hash field of the /etc/passwd file. You should use the equivalent field in /etc/shadow instead.



If you put an invalid string in the password hash field (whether the field that is in active use is in /etc/shadow or in /etc/passwd), password authentication will be disabled. However, putting in a string of non-standard length would be unexpected: I think it's better to use a character that is not used by the password hashing function. A non-standard-length password hash string might be assumed to be a copy/paste error in mass-editing the password file, but using a character that is outside the standard set is clearly deliberate.



You should also know that the meaning of passwd -l was changed.



Before August 2008, the passwd -l <username> command was commonly equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e
usermod --expiredate 1 <username>


In particular, the passwd command in the shadow source code package did exactly this.



On August 22, the command was changed from "locking the account" to "locking the password only". In other words, after the change the command now did only the equivalent of this:



OLDPW="$(grep ^<username>: /etc/shadow | cut -d : -f 2)"
echo "<username>:!$OLDPW" | chpasswd -e


So it still prefixed the encrypted password with an exclamation mark as before, but no longer also marked the entire account as disabled.



The shadow source code package was/is the upstream source of many distributions' passwd commands, and so the change ended up happening in many distributions. For example, RHEL 5 has the old behavior, but RHEL 6 follows the new one.



Busybox's passwd command has a separate codebase, so I have no idea which behavior they're following. A quick search through BusyBox's documentation seems to indicate it does not include password/account aging functionality at all.



But if you find that running passwd -l <username> also disables SSH key authentication for that user (i.e. the old behavior), you can instead lock the password only by setting it to any value that cannot be produced by the password hashing function. For example, like this:



echo "username:!" | chpasswd -e


This should be a pretty universal way to set an user account to a "non-password-based authentication only" state.



A relatively common convention seems to be to use an exclamation mark (either alone or prefixed to any previous contents of the password hash field) to indicate a locked password, and an asterisk (replacing the entire contents of the password hash field) to mark the account as a system account that is not supposed to be unlockable with passwd -u. However, other authentication mechanisms, like SSH keys, can function even if the password hash field has an invalid value.







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 28 at 12:11

























answered Feb 28 at 8:55









telcoMtelcoM

19.6k12448




19.6k12448













  • Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

    – Magicloud
    Feb 28 at 9:01






  • 1





    This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

    – Philip Couling
    Feb 28 at 10:24













  • Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

    – Philip Couling
    Feb 28 at 10:34













  • @PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

    – telcoM
    Feb 28 at 12:04













  • Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

    – Philip Couling
    Feb 28 at 12:47





















  • Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

    – Magicloud
    Feb 28 at 9:01






  • 1





    This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

    – Philip Couling
    Feb 28 at 10:24













  • Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

    – Philip Couling
    Feb 28 at 10:34













  • @PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

    – telcoM
    Feb 28 at 12:04













  • Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

    – Philip Couling
    Feb 28 at 12:47



















Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

– Magicloud
Feb 28 at 9:01





Thanks. But seems like the "redefine" has not spreaded to distros using busybox.

– Magicloud
Feb 28 at 9:01




1




1





This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

– Philip Couling
Feb 28 at 10:24







This looks distribution specific. I can confirm on Debian (Buster) passwd -l does prepend a ! before before the hashed password in /etc/shadow. The result is honored by SSH; even where SSH is using public keys and not passwords and / or PAM, the account is locked. Therefore (at least on Debian) password -l does do more than simply lock password authentication.

– Philip Couling
Feb 28 at 10:24















Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

– Philip Couling
Feb 28 at 10:34







Though ironically, even the debian man page for passwd suggests public keys with SSH might still be allowed. I guess the authors can't speak for the authors of SSH.

– Philip Couling
Feb 28 at 10:34















@PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

– telcoM
Feb 28 at 12:04







@PhilipCouling: I just tested on Debian Stretch, and passwd -l does not disable SSH key authentication there. The intent of the change to shadow suite's passwd -l was to specifically create an intuitive way to create accounts that support only non-password-based authentication methods. Does Buster's passwd -l modify the account expiration field (= the one before the last colon) in /etc/shadow?

– telcoM
Feb 28 at 12:04















Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

– Philip Couling
Feb 28 at 12:47







Quoting from the manual man passwd ... This option disables a password by changing it to a value which matches no possible encrypted value (it adds a '!' at the beginning of the password). Tests confirm that's exactly what it does. After this /var/log/auth.log records sshd[7786]: User rodger not allowed because account is locked

– Philip Couling
Feb 28 at 12:47




















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503496%2fis-it-safe-to-set-password-in-etc-passwd-to-on-linux-to-prevent-password-logi%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀