[Bug 1305228] [NEW] PasswordAuthentication "no" fails if user account has no password set

Wed Apr 9 18:31:33 UTC 2014

Public bug reported:

Adding the following options to the /etc/ssh/sshd_config file:

   PasswordAuthentication no
   UsePAM no

For the purpose of disallowing logins by users via password (instead of
public key).

Login via public key does work as expected for users that HAVE a
password defined (but will NEVER be requested per the configuration --
as designed).

For users created without a password, these options cause the ssh
connection to fail with the error message:

   Permission denied (publickey).

Setting a non-trivial password (of course) for the user causes the
subsequent ssh connection to succeed.

This seems counter to the intent of the sshd options -- to require a
user to have a valid password to never ask the password and only accept
public key authentication.

Description:	Ubuntu 12.04.4 LTS
Release:	12.04
openssh-server version 1:5.9p1-5ubuntu1.3

A *very* bad situation can occur if the root account has no valid
password, and instead relies on public key authentication.  Setting
these parameters in sshd_config will effectively lock the root user from
logging in directly to the system!  Combine with locking out all the
users, and you have a system with no user access!

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1305228

Title:
  PasswordAuthentication "no" fails if user account has no password set

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1305228/+subscriptions