Editing /etc/passwd to disable password not working
Santanu Chatterjee
thisissantanu at gmail.com
Thu Mar 1 14:49:14 UTC 2012
On Thu, Mar 1, 2012 at 6:58 PM, Marius Gedminas <marius at pov.lt> wrote:
> On Thu, Mar 01, 2012 at 05:58:41PM +0530, Santanu Chatterjee wrote:
>> On Thu, Mar 1, 2012 at 4:13 PM, Ken Adams <adams.ken.j at gmail.com> wrote:
>> > On Thu, 2012-03-01 at 14:56 +0530, Santanu Chatterjee wrote:
>> >> Hello Everybody,
>> >>
>> >> I tried to disable the password of an account on my home ubuntu 11.04
>> >> box, by blanking the 2nd field of the corresponding user line in
>> >> /etc/passwd and /etc/shadow file. However, whenever I try to login to
>> >> the user account I am still being asked for the password and just
>> >> pressing 'enter' is not working.
>> >>
>> >> Is there something else that I should be doing? IIRC, I have tried
>> >> this some time back in probably ubuntu 8.10 (or maybe some lower
>> >> version) and it used to work.
>> >>
>> >> Thanks and regards,
>> >> Santanu
>> >>
>> >
>> > If you use the following the account will stay in place but be inactive.
>> >
>> > sudo passwd --lock [LOGIN]
>> >
>> > If you wish to activate the account again then use...
>> >
>> > sudo passwd --unlock [LOGIN]
>> >
>> > This will put activate the account with the original password.
>> >
>> > man passwd is your friend
>>
>> Yes, its as you said. But this seems to be betraying me! Even "passwd
>> --delete [LOGIN]" does not render the account passwordless as apparent
>> from the manual. The commands you mentioned work, but I could do the
>> same thing using "sudo vipw" and "sudo vipw -s" to directly edit the
>> passwd and shadow files, and that works.
>
> /etc/shadow should be the only file you need to edit. (But don't do
> that; use passwd --delete.)
>
>> I think there something else in play here. Any ideas?
>
> Having a blank password may not be enough to log in; the PAM module
> needs to accept blank passwords too. The default configuration uses
> pam_unix.so with nullok_secure, which means a blank password is only
> accepted if the user is trying to login from a terminal listed in
> /etc/securetty.
>
> How exactly did you try to log in? Via GDM? /etc/securetty
> lists :0 so X logins should be allowed, but maybe GDM itself has
> an option about this?
>
> I see a curious line in /etc/pam.d/gdm on my 11.04 box:
>
> auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
>
> Maybe this means gdm will accept passwordless logins if the user is
> added to a 'nopasswdlogin' group? This is the first time I see such a
> group mentioned, though, so maybe I'm misunderstanding something.
Firstly, thanks a lot. It is indeed PAM that was behind all this. (I
really need to learn about this PAM stuff I managed to ignore so far)
Secondly, Oops. When I said blanking the 2nd field of the
corresponding user line in /etc/shadow did not make the account
passwordless, I was being careless. Actually I was using "su [LOGIN]"
to get into the account, which in turn was handled by /etc/pam.d/su
config file. But just now I tried a normal console login at that
account, and I could login passwordless. So it was actually working.
Thirdly, after reading your mail (and some googling), I added a line
"auth sufficient pam_permit.so" in /etc/pam.d/su, and now, regardless
of presence of password in the shadow file, I can su to any account on
the system without password! Scary!
So, indeed PAM is the one I need to know more about.
Thanks again.
-Santanu
More information about the ubuntu-users
mailing list