FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 03-02-2012, 01:58 PM
Marius Gedminas
 
Default Editing /etc/passwd to disable password not working

On Thu, Mar 01, 2012 at 08:19:14PM +0530, Santanu Chatterjee wrote:
> On Thu, Mar 1, 2012 at 6:58 PM, Marius Gedminas <marius@pov.lt> wrote:
> > On Thu, Mar 01, 2012 at 05:58:41PM +0530, Santanu Chatterjee wrote:
> >> On Thu, Mar 1, 2012 at 4:13 PM, Ken Adams <adams.ken.j@gmail.com> wrote:
> >> > On Thu, 2012-03-01 at 14:56 +0530, Santanu Chatterjee wrote:
> >> >> I tried to disable the password of an account on my home ubuntu 11.04
> >> >> box, by blanking the 2nd field of the corresponding user line in
> >> >> /etc/passwd and /etc/shadow file. However, whenever I try to login to
> >> >> the user account I am still being asked for the password and just
> >> >> pressing 'enter' is not working.
> >> >>
> >> >> Is there something else that I should be doing? IIRC, I have tried
> >> >> this some time back in probably ubuntu 8.10 (or maybe some lower
> >> >> version) and it used to work.
> >> >>
> >> >> Thanks and regards,
> >> >> Santanu
> >> >>
> >> >
> >> > If you use the following the account will stay in place but be inactive.
> >> >
> >> > sudo passwd --lock [LOGIN]
> >> >
> >> > If you wish to activate the account again then use...
> >> >
> >> > sudo passwd --unlock [LOGIN]
> >> >
> >> > This will put activate the account with the original password.
> >> >
> >> > man passwd is your friend
> >>
> >> Yes, its as you said. But this seems to be betraying me! Even "passwd
> >> --delete [LOGIN]" does not render the account passwordless as apparent
> >> from the manual. The commands you mentioned work, but I could do the
> >> same thing using "sudo vipw" and "sudo vipw -s" to directly edit the
> >> passwd and shadow files, and that works.
> >
> > /etc/shadow should be the only file you need to edit. *(But don't do
> > that; use passwd --delete.)
> >
> >> I think there something else in play here. Any ideas?
> >
> > Having a blank password may not be enough to log in; the PAM module
> > needs to accept blank passwords too. *The default configuration uses
> > pam_unix.so with nullok_secure, which means a blank password is only
> > accepted if the user is trying to login from a terminal listed in
> > /etc/securetty.
> >
> > How exactly did you try to log in? *Via GDM? */etc/securetty
> > lists :0 so X logins should be allowed, but maybe GDM itself has
> > an option about this?
> >
> > I see a curious line in /etc/pam.d/gdm on my 11.04 box:
> >
> > *auth * *sufficient * * *pam_succeed_if.so user ingroup nopasswdlogin
> >
> > Maybe this means gdm will accept passwordless logins if the user is
> > added to a 'nopasswdlogin' group? *This is the first time I see such a
> > group mentioned, though, so maybe I'm misunderstanding something.
>
> Firstly, thanks a lot. It is indeed PAM that was behind all this. (I
> really need to learn about this PAM stuff I managed to ignore so far)
>
> Secondly, Oops. When I said blanking the 2nd field of the
> corresponding user line in /etc/shadow did not make the account
> passwordless, I was being careless. Actually I was using "su [LOGIN]"
> to get into the account, which in turn was handled by /etc/pam.d/su
> config file. But just now I tried a normal console login at that
> account, and I could login passwordless. So it was actually working.
>
> Thirdly, after reading your mail (and some googling), I added a line
> "auth sufficient pam_permit.so" in /etc/pam.d/su, and now, regardless
> of presence of password in the shadow file, I can su to any account on
> the system without password! Scary!

Scary, yes. (And it lets any account su to any other account, AFAIU.)

Any reason you're using su and not sudo? /etc/sudoers is easier to
understand than /etc/pamd.*, at least for me. If you want to be able to
su to any user account without a password, sudo visudo

youraccountname ALL = (ALL) NOPASSWD: ALL

and then use sudo -u anyaccount -i

Or if you want passwordless access to a single particular
otheruseraccount, use this in /etc/sudoers:

youraccountname ALL = (otheruseraccount) NOPASSWD: ALL

> So, indeed PAM is the one I need to know more about.

Marius Gedminas
--
I once asked an older coworker and Solaris guru what happened with the
Unix-haters list. He told me that it stopped being quite so funny once Windows
NT came along.
-- the gnat at slashdot
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 02:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org