Creating a user without a password
Nothing is wrong, the authentication failed as expected. You won’t get a «there is no password, you can’t login» error message.
Either create it as root and set the correct permissions, or execute su git as root where you don’t have to provide a password.
I just wanted to point out that letting the git user have Bash as a shell is a bad idea, security wise. That would allow users of this repo to get a shell in your server. If you set the shell to /usr/bin/git-shell you can limit their account to using git and nothing else. (You should also limit SFTP access but that can only be done from /etc/sshd_config). Now, once you changed the shell, «su» won’t work as-is. You’ll have to do «su -s /bin/sh git» instead.
7 Answers 7
The —disabled-password option will not set a password, meaning no password is legal, but login is still possible (for example with SSH RSA keys).
To create an user without a password, use passwd -d $username after the user is created to make the password empty. Note not all systems allow users with empty password to log in.
You’ve created a user with a “disabled password”, meaning that there is no password that will let you log in as this user. This is different from creating a user that anyone can log in as without supplying a password, which is achieved by specifying an empty password and is very rarely useful.
In order to execute commands as such “system” users who don’t log in normally, you need to hop via the root account:
If you want certain users to be able to run commands as the git user without letting them run commands as root, set up sudo (run visudo as root and add a line like %gitters ALL = (git) ALL ).
Ubuntu 19.10 seems like does not have —disabled-password parameter, could there be any alternative solution
@alper Write the full path: sudo -u git cat /wherever/main.py . Or add a cd command: sudo -u git sh -c ‘cd /wherever && cat main.py’ . If you want to be sure that the other user doesn’t get access to the current directory even if the command doesn’t do what was intended, change directories outside: (cd /wherever && sudo -u git cat main.py)
@alper You didn’t use the commands I posted. You used one of many variants (too many for me to guess the exact one) that would result in this particular error. You need to invoke a shell for cd and && .
If you want to access the system under the git user you should use sudo:
Create an user with empty password
sudo useradd test-user-0 echo test-user-0:U6aMy0wojraho | sudo chpasswd -e su test-user-0 The password prompt still shows unfortunately.
But if you just hit enter without typing anything, and it logins as the user test-user-0 .
The -e flags tells chpasswd that the password is already encrypted, and U6aMy0wojraho is the hash of the empty string.
Terminal autologin with getty -a
On the terminal at least, you don’t need to create an user without a password to allow someone to not type their passwords every time.
So I believe that it should not be very hard to adapt that technique by modifying Ubuntu 18.04’s systemd init system scripts to setup a getty -a terminal as mentioned in that answer, although I haven’t tried to do it myself.
Managing Linux users with the passwd command
Linux authentication is primarily handled with passwords and public keys. Find out how the passwd command fits into the user management process.
Unix-like operating systems. including Linux, were developed right from the start as preemptive multitasking and multi-user systems.
Multitasking refers to an operating system in which multiple processes, also called tasks, can execute (i.e., run) on a single computer seemingly simultaneously and without interfering with each other. Each process has the illusion that it is the only process on the computer and that it has exclusive access to all the services of the operating system.
Linux is multi-user because it allows multiple people to use a computer and not affect each other’s files, processes, preferences, etc.
Because there could be multiple users on the system, it is, therefore, necessary to manage their authentication. Authentication is primarily handled with passwords and public keys. One of the many tools available we use to set up passwords is the passwd command.
Linux security
The passwd command
The passwd command changes passwords for user accounts. A normal user may only change the password for their own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period. This task is achieved through calls to the Linux-PAM and libuser API.
In this article, I am assuming there are already users created on the system with useradd or some other command.
We can see users created on the system with this command:
[root@server ~]# cat /etc/passwdUse the man page as a reference for passwd . As with all Linux commands, there is a synopsis, which details how the command is used. The man page synopsis for passwd is as below:
passwd [options] [LOGIN] Running the passwd command without any argument will ask for a change of password for the user logged in.Options
Here is an explanation of some of the options for the passwd command:
The -S option displays the status of user account password settings.
# passwd -S evans evans PS 2020-09-07 0 99999 7 -1 (Password set, SHA512 crypt.)The output above shows the account evans was created on 7th September 2020 and has a password set with SHA512 encryption.
The -l option is used to lock the password of a specified account, and it is available to root only. The result is that the user cannot use the password to log in to the system but can use other means such as SSH public key authentication.
This option will unlock the password. This option works for an account that already has the password locked.
This is a quick way to delete a password for an account.
This is a quick way to expire a password for an account. The user will be forced to change the password during the next login attempt.
This sets the number of days before a password can be changed. By default, a value of zero is set, which indicates that the user may change their password at any time.
This means user2 cannot change its own password until 10 days have passed.
To confirm the password setting made with the -n option above, run the following command:
# passwd -S user1 user1 PS 2020-12-04 10 99999 7 -1 (Password set, SHA512 crypt.)The value of 10 after the date indicates the minimum number of days until the password can be changed.
Set the maximum number of days a password remains valid. After MAX_DAYS, the password is required to be changed.
This means after 90 days, the password is required to be changed.
Confirm the setting with passwd -S user1
[root@server ~]# passwd -S user1 user1 PS 2020-12-04 10 90 7 -1 (Password set, SHA512 crypt.)The value of 90 after 10 indicates the maximum password lifetime.
This will set the number of days in advance the user will begin receiving warnings that the password will expire.
This means the user will receive warnings that the password will expire 7 days before the expiration.
This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for INACTIVE days, the user may no longer sign on to the account.
This means after a user account has had an expired password for 5 days, the user may no longer sign on to the account.
This option indicates that passwd should read the new password from standard input, which can be a pipe.
# echo "userpasswd1"|passwd --stdin user1This command will read from the echo command and pass it to the passwd command. So this will set the user1 password to userpasswd1.
Wrap up
The passwd command is quite popular to manage user accounts on your Linux system. It manipulates some of the entries in the /etc/passwd file, and the sysadmin should have this in his toolbox.
passwd — Unix, Linux Command
The passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.
OPTIONS
| TAG | DESCRIPTION |
|---|---|
| -a, —all | This option can be used only with -S and causes show status for all users. |
| -d, —delete | Delete a user’s password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless. |
| -e, —expire | Immediately expire an account’s password. This in effect can force a user to change his/her password at the user’s next login. |
| -h, —help | Display help message and exit. |
| -g, —noheadings | Do not print a header line. |
| -h, —help | Display help text and exit. |
| -i, —inactive INACTIVE | This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for INACTIVE days, the user may no longer sign on to the account. |
| -k, —keep-tokens | Indicate password change should be performed only for expired authentication tokens (passwords). The user wishes to keep their non-expired tokens as before. |
| -l, —lock | Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ‘!’ at the beginning of the password). |
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod —expiredate 1 (this set the account’s expire date to Jan 2, 1970).
EXAMPLES
$ passwd
Changing password for ubuntu.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Change the password for the user named username:
$ sudo passwd user1
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Check the status of the password for the user named user1:
user1 P 05/13/2014 2 365 7 28
Here, we see the user's name (user1), followed by a P, indicating that his password is currently valid and usable. The password will expire on May 5, 2014. user1 cannot change his password more often than every 2 days, and must change the password every 365 days. He will be warned 7 days before a required password change, and if he allows his password to expire, his account will be disabled 28 days later.
Checks the password status for all user accounts, system-wide:
root L 12/27/2016 0 99999 7 -1
daemon L 08/05/2015 0 99999 7 -1
bin L 08/05/2015 0 99999 7 -1
sys L 08/05/2015 0 99999 7 -1
sync L 08/05/2015 0 99999 7 -1
games L 08/05/2015 0 99999 7 -1
man L 08/05/2015 0 99999 7 -1
lp L 08/05/2015 0 99999 7 -1
mail L 08/05/2015 0 99999 7 -1
news L 08/05/2015 0 99999 7 -1
uucp L 08/05/2015 0 99999 7 -1
proxy L 08/05/2015 0 99999 7 -1
www-data L 08/05/2015 0 99999 7 -1
backup L 08/05/2015 0 99999 7 -1
list L 08/05/2015 0 99999 7 -1
irc L 08/05/2015 0 99999 7 -1
gnats L 08/05/2015 0 99999 7 -1
nobody L 08/05/2015 0 99999 7 -1
libuuid L 08/05/2015 0 99999 7 -1
syslog L 08/05/2015 0 99999 7 -1
messagebus L 12/27/2016 0 99999 7 -1
dnsmasq L 12/27/2016 0 99999 7 -1
landscape L 12/27/2016 0 99999 7 -1
sshd L 12/27/2016 0 99999 7 -1
libvirt-qemu L 12/27/2016 0 99999 7 -1
libvirt-dnsmasq L 12/27/2016 0 99999 7 -1
ubuntu P 01/06/2017 0 99999 7 -1
user1 P 01/06/2017 0 99999 7 -1
Lock the password for user user1. user1 will be unable to log in until a system administrator unlocks it:
passwd: password expiry information changed.
Unlock user1’s password. It will automatically be reset to whatever it was before it was locked, and user1 will be able to log in again:
passwd: password expiry information changed.
Expire user1’s password. The next time he logs in, he will be required to set a new password.
passwd: password expiry information changed.
$ su user1
Password:
You are required to change your password immediately (root enforced)
Changing password for user1.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
Delete a user’s password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless.
passwd: password expiry information changed.