Editing /etc/passwd to disable password not working
Marius Gedminas
marius at pov.lt
Fri Mar 2 14:58:26 UTC 2012
On Thu, Mar 01, 2012 at 08:19:14PM +0530, Santanu Chatterjee wrote:
> On Thu, Mar 1, 2012 at 6:58 PM, Marius Gedminas <marius at pov.lt> wrote:
> > On Thu, Mar 01, 2012 at 05:58:41PM +0530, Santanu Chatterjee wrote:
> >> On Thu, Mar 1, 2012 at 4:13 PM, Ken Adams <adams.ken.j at gmail.com> wrote:
> >> > On Thu, 2012-03-01 at 14:56 +0530, Santanu Chatterjee wrote:
> >> >> I tried to disable the password of an account on my home ubuntu 11.04
> >> >> box, by blanking the 2nd field of the corresponding user line in
> >> >> /etc/passwd and /etc/shadow file. However, whenever I try to login to
> >> >> the user account I am still being asked for the password and just
> >> >> pressing 'enter' is not working.
> >> >>
> >> >> Is there something else that I should be doing? IIRC, I have tried
> >> >> this some time back in probably ubuntu 8.10 (or maybe some lower
> >> >> version) and it used to work.
> >> >>
> >> >> Thanks and regards,
> >> >> Santanu
> >> >>
> >> >
> >> > If you use the following the account will stay in place but be inactive.
> >> >
> >> > sudo passwd --lock [LOGIN]
> >> >
> >> > If you wish to activate the account again then use...
> >> >
> >> > sudo passwd --unlock [LOGIN]
> >> >
> >> > This will put activate the account with the original password.
> >> >
> >> > man passwd is your friend
> >>
> >> Yes, its as you said. But this seems to be betraying me! Even "passwd
> >> --delete [LOGIN]" does not render the account passwordless as apparent
> >> from the manual. The commands you mentioned work, but I could do the
> >> same thing using "sudo vipw" and "sudo vipw -s" to directly edit the
> >> passwd and shadow files, and that works.
> >
> > /etc/shadow should be the only file you need to edit. (But don't do
> > that; use passwd --delete.)
> >
> >> I think there something else in play here. Any ideas?
> >
> > Having a blank password may not be enough to log in; the PAM module
> > needs to accept blank passwords too. The default configuration uses
> > pam_unix.so with nullok_secure, which means a blank password is only
> > accepted if the user is trying to login from a terminal listed in
> > /etc/securetty.
> >
> > How exactly did you try to log in? Via GDM? /etc/securetty
> > lists :0 so X logins should be allowed, but maybe GDM itself has
> > an option about this?
> >
> > I see a curious line in /etc/pam.d/gdm on my 11.04 box:
> >
> > auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
> >
> > Maybe this means gdm will accept passwordless logins if the user is
> > added to a 'nopasswdlogin' group? This is the first time I see such a
> > group mentioned, though, so maybe I'm misunderstanding something.
>
> Firstly, thanks a lot. It is indeed PAM that was behind all this. (I
> really need to learn about this PAM stuff I managed to ignore so far)
>
> Secondly, Oops. When I said blanking the 2nd field of the
> corresponding user line in /etc/shadow did not make the account
> passwordless, I was being careless. Actually I was using "su [LOGIN]"
> to get into the account, which in turn was handled by /etc/pam.d/su
> config file. But just now I tried a normal console login at that
> account, and I could login passwordless. So it was actually working.
>
> Thirdly, after reading your mail (and some googling), I added a line
> "auth sufficient pam_permit.so" in /etc/pam.d/su, and now, regardless
> of presence of password in the shadow file, I can su to any account on
> the system without password! Scary!
Scary, yes. (And it lets any account su to any other account, AFAIU.)
Any reason you're using su and not sudo? /etc/sudoers is easier to
understand than /etc/pamd.*, at least for me. If you want to be able to
su to any user account without a password, sudo visudo
youraccountname ALL = (ALL) NOPASSWD: ALL
and then use sudo -u anyaccount -i
Or if you want passwordless access to a single particular
otheruseraccount, use this in /etc/sudoers:
youraccountname ALL = (otheruseraccount) NOPASSWD: ALL
> So, indeed PAM is the one I need to know more about.
Marius Gedminas
--
I once asked an older coworker and Solaris guru what happened with the
Unix-haters list. He told me that it stopped being quite so funny once Windows
NT came along.
-- the gnat at slashdot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20120302/c9bf1011/attachment.sig>
More information about the ubuntu-users
mailing list