Create a Linux User with an Empty Password
I had a need to create a ‘guest’ account in one of my Linux installs which allows anonymous users within a trusted intranet to login to a specially crafted script. One of the issues that I was faced with was with passwd refusing to accept a blank password. To let empty password logins, we must manually change the account password.
When we look at /etc/shadow , we will see something similar to:
username:$1$ADUODeAy$gRz7rO6P5lFcPpYwqd7Eb0:14929:0:99999:7.
The second field containing $1$ADUODeAy$gRz7rO6P5lFcPpYwqd7Eb0 is the password hash. The hash is delimited by $ and contains the following data:
- 1 denotes that the hash is a MD5 hash
- ADUODeAy is the salt
- gRz7rO6P5lFcPpYwqd7Eb0 is the actual password hash in MD5
To generate this hash manually, we can use openssl . We could use a different salt, but in this example, we use the same existing salt value.
# openssl passwd -1 -salt ADUODeAy Password: [enter] $1$ADUODeAy$eCJ1lPSxhSGmSvrmWxjLC1
Note that the first parameter, -1 , tells openssl to use MD5 to generate the hash.
Replace the existing hash in /etc/shadow with the hash generated by openssl. The account now essentially has an empty password.
- You will need to temporarily change the permission of /etc/shadow in order to write to it.
- You will need to enable ‘PermitEmptyPasswords’ in /etc/ssh/sshd_config for empty password logins to work
- This can easily be a security risk to your machine! Ensure the account and server is locked down or use SSH keys for password-less logins! Remember, by default, users can SSH tunnel through this guest account. You must consider the implications of enabling such an account on your machine.
- /etc/fstab
- Access.conf
- ACL
- Apache Proxy to Internal Server
- APM X-C1 (Mustang)
- ARP
- Authselect
- Bash Scripting
- Blockparser
- Booting Linux without a Graphics Card
- Building Container Images
- Burning CD/DVD in Linux
- Change Linux Desktop Location
- Clear RAID Signatures on Linux
- Cobbler
- Colorized Terminal Outputs
- Compiling MIPS
- Configure Sendmail
- CPanel
- CPanel Fork Bomb Protection
- CPU Frequency Scaling
- Create a Linux User with an Empty Password
- Cron and PAM Issues
- Dell OpenManage
- Diff Two Command Outputs
- DirectAdmin
- Disable Filesystem Check on Startup
- DNS Ad Blocker
- Driver Disk
- Drop caches
- End / Home keys don’t work in Terminal
- Entropy in the Linux Kernel
- Entropy Source using RTL-SDR
- Exit Codes
- Extract .exe Resources with dd
- File Attributes
- Get Active Linux Virtual Console
- Getting Hardware UUID
- Hosts.deny
- How to hot-swap SATA disks on Linux
- HP Smart Storage Administrator
- Hyper-threading
- IBM Spectrum Archive
- IBM Spectrum Protect
- IBM Tape
- IBM Tape Diagnostic Tool
- Intel Network Adapter
- InterWorx
- Kerberize NFS
- Kerberize SSH
- Linux Clustering
- Linux Fonts
- Linux Namespaces
- Linux Network Interface Naming
- Linux Nvidia Driver
- Linux Process Accounting
- Linux Uptime in Seconds
- Linux UTF-8 Font
- Mainline Kernel on CentOS 7
- Missing Fonts
- Mod fastcgi Install on Apache 2 / cPanel
- Mod fcgid
- Monitoring network traffic in Linux
- Mounting / Unmounting KVM Image
- Mounting Samba (CIFS) shares
- Multiple Networks on Linux
- MySQL Database with Hash Sign
- No Console Output
- Number of Files Opened
- Open OnDemand
- Packing and unpacking initrd
- PAM Issues
- Partition Alignment
- Patching a binary file with dd
- Perl Module Location
- Raspberry Pi
- Red Hat kickstart
- Red Hat to Debian
- Reverse SSH Tunnel
- Ruby on Rails under cPanel
- Rutorrent + rtorrent Installation Guide on CentOS 6.4
- Self Signed SSL Certificates
- Service Management
- Sick Beard
- StartSSL Free Certificate
- Symlink
- Taking a Screenshot in X11
- Timezone
- Tor
- TOR Transparent Proxy
- Traefik
- Troubleshooting a Slow Linux System
- Turning on swap with a page file
- Udev Rules
- Verify SSL Certificate matches Private Key
- VMware Workstation
- Webcam
- X Display Manipulation
- X Forwarding
How do I set a blank password for the root user in slitaz [closed]
I am running slitaz distro, and would like to completely remove the root password. I have tried giving a blank password to the passwd command, however that did not seem to do the trick. It gave me an error password was too short, ans it still asked me for a password when I ssh-ed in. The password was just hiting the «Enter» key. UPDATE:
Perhaps it has to do with the fact that slitaz uses dropbear for ssh? Because even with a blank password for root in /etc/shadow , it still prompts for a password.
What you’re trying to do is «set a blank password», not «remove the root password». Removing the root password implies that it has no password, rather than having a blank one.
1 Answer 1
● Do you really want to allow logins without a password? If so, try passwd -d root (see warnings below)
● Do you really want to have an empty password? echo root: | chpasswd or, if that is rejected, echo «root:$(mkpasswd -s
● For those coming here in search of a way to block password login for root, you have options:
- passwd -l root disables (locks), passwd -u root re-enables (unlocks) the root password.
- sshd option PasswordAuthentication no disables password authentification for all users (via ssh)
- sshd option PermitRootLogin no disables root login (via ssh)
- sshd option PermitRootLogin prohibit-password disables root login with password (via ssh)
- ⚠️ Make sure you have a way to log in even if you accidentally lock your password. For example, a second user with full sudo access. (If you try to configure no / an insecure password, your system might actually lock you out.)
- passwd -d root can allow for root login without password!
- ⚠️ this is a terrible idea on systems connected to the internet. Don’t do it except in an isolated host or network. An empty password is arguably worse.
- that’s why your system setup might still disallow logins without password (or with empty password) if you remove the password (or set it to the empty string). Especially via SSH.
- SSH with public keys, and something ssh-agent is the way to go if you want the convenience of not repeatedly entering your password
- SSH with public keys, and an unencrypted private key is the way to go if you want to run commands from remote scripts. There is a PermitRootLogin forced-commands-only sshd option; when set the remote script can only trigger specific commands that you need to configure on the server.
Usually, passwords are usually saved in salted&hashed form in /etc/shadow . For more information, read the manpage with man shadow 5 . Authentication can be blocked in the configuration of the SSH server (see man sshd_config ) or in the OS’s authentification system (see «PAM» — Linux Pluggable Authentication Modules).
Can I set my user account to have no password?
If I attempt to change my password to nothing by opening «User Accounts», the «Change» button remains greyed out: How do I change my password to be empty? I know you can set Ubuntu to automatically log you in, but I want my password to be empty, I never want to type in a password to authenticate myself as that user. I know that there are reasons why this might not be a good idea, but I want to know if it is even possible. I’m using Ubuntu 12.10.
@Kaz It doesn’t if you follow all the steps in the answer, including the step that was linked to at the end.
6 Answers 6
You can’t do that using the GUI tool, but you can using the terminal.
- First, if your user has sudo privileges, you must enable its NOPASSWD option. Otherwise, sudo will ask for a password even when you don’t have one, and won’t accept an empty password. To do so, open the sudoers configuration file with sudo visudo , and add the following line to the file, replacing david with your username:
If you ever get prompted for a password, just type enter and it should work. I’ve tested this answer with LightDM, the lock screen, sudo , gksu , and it works.
Any new visudo edits such as nopasswd should be added to the end so no other setting overwrites the entry.
This did not work for me (Ubuntu 16.04) via ssh login. It still asks for a password, but no password is accepted (blank or the old one or the one for the ssh key).
On Debian I got the message «Sorry that didn’t work try again» when I try to log with empty password after the command passwd david -d . And now I can’t login with the old password too.
Warning: Be careful once you remove your password using this method, you won’t be able to authenticate yourself to prove you have admin rights, in a GUI or in the terminal (like installing an application using Synaptic, or using sudo through the command-line). This is because of bug #1168749.
Only do this if the user is not the only admin user.
This has been tested on Ubuntu 12.04 and 12.10.
- Make sure that you click on Unlock to be able to accomplish the tasks below:
- Go into user accounts, and click on the password field:
- Once the window opens, click on the down arrow to the right of «Action».
- and change it to «Log in without a password», and then click on «Change»:
- Optionally, you can also enable automatic log-in, like this:
To give the user a password again after running this procedure, you can’t use a GUI (bug #882255), you have to use the command-line:
- Log in as another user with admin priveleges. (Remember, the original one cannot run with admin privileges without a password using this method.)
- Run the following in a terminal:
Again, I must warn you that once you remove the password, you won’t be able to authenticate yourself in the GUI or a terminal, like installing an application using Synaptic, or using sudo on the command-line.
Creating a user without a password
Nothing is wrong, the authentication failed as expected. You won’t get a «there is no password, you can’t login» error message.
Either create it as root and set the correct permissions, or execute su git as root where you don’t have to provide a password.
I just wanted to point out that letting the git user have Bash as a shell is a bad idea, security wise. That would allow users of this repo to get a shell in your server. If you set the shell to /usr/bin/git-shell you can limit their account to using git and nothing else. (You should also limit SFTP access but that can only be done from /etc/sshd_config). Now, once you changed the shell, «su» won’t work as-is. You’ll have to do «su -s /bin/sh git» instead.
7 Answers 7
The —disabled-password option will not set a password, meaning no password is legal, but login is still possible (for example with SSH RSA keys).
To create an user without a password, use passwd -d $username after the user is created to make the password empty. Note not all systems allow users with empty password to log in.
You’ve created a user with a “disabled password”, meaning that there is no password that will let you log in as this user. This is different from creating a user that anyone can log in as without supplying a password, which is achieved by specifying an empty password and is very rarely useful.
In order to execute commands as such “system” users who don’t log in normally, you need to hop via the root account:
If you want certain users to be able to run commands as the git user without letting them run commands as root, set up sudo (run visudo as root and add a line like %gitters ALL = (git) ALL ).
Ubuntu 19.10 seems like does not have —disabled-password parameter, could there be any alternative solution
@alper Write the full path: sudo -u git cat /wherever/main.py . Or add a cd command: sudo -u git sh -c ‘cd /wherever && cat main.py’ . If you want to be sure that the other user doesn’t get access to the current directory even if the command doesn’t do what was intended, change directories outside: (cd /wherever && sudo -u git cat main.py)
@alper You didn’t use the commands I posted. You used one of many variants (too many for me to guess the exact one) that would result in this particular error. You need to invoke a shell for cd and && .
If you want to access the system under the git user you should use sudo:
Create an user with empty password
sudo useradd test-user-0 echo test-user-0:U6aMy0wojraho | sudo chpasswd -e su test-user-0
The password prompt still shows unfortunately.
But if you just hit enter without typing anything, and it logins as the user test-user-0 .
The -e flags tells chpasswd that the password is already encrypted, and U6aMy0wojraho is the hash of the empty string.
Terminal autologin with getty -a
On the terminal at least, you don’t need to create an user without a password to allow someone to not type their passwords every time.
So I believe that it should not be very hard to adapt that technique by modifying Ubuntu 18.04’s systemd init system scripts to setup a getty -a terminal as mentioned in that answer, although I haven’t tried to do it myself.