2

I am assigned to generate a script that can disable password login for ssh service. Knowing that I can perform this action by editing /etc/sshd_config file, but my mentor mentioned the file I should look into is /etc/password file. That was the hint for me to perform this task. Here is what I did, I removed the 'x' symbol in the user. I believed the field is reserved for hashing password.

The original

 pi:x:1000:1000:,,,:/home/pi:/bin/bash

After edited:

 pi::1000:1000:,,,:/home/pi:/bin/bash

The result: Without the key I'm stuck with retyping the pass window.

Updated for clarity: The script should be used to reply on public and private key in order to login to the pi server. To put it another way, I try go for password-less login, making it a feature to harden security.

Improve this question
7
  • A long time ago you could replace bash by nologin??? Commented Dec 31, 2019 at 12:37
  • I tried and got this message: Last login: This account is currently not available. Commented Dec 31, 2019 at 12:46
  • 1
    Historically replacing the hash with an invalid one such as '*' disabled password logins. (Changing the login shell didn't prevent using su to access the account from another user account.) I suspect the same functionality remains in the shadow package, but keep in mind that you're disabling all password access not just ssh. Commented Dec 31, 2019 at 13:06
  • 1
    Just making the second field of /etc/passwd empty is a dangerous method that relies on your PAM configuration (or a setting in /etc/ssh/sshd_config or in some other login method that won't use PAM) disabling network/remote logins for passwordless accounts. After your edit, try logging in on the console as user pi: you may find out that you can get in with just pressing enter at the password prompt. It's safer to set the password field to an invalid value like *, as suggested by @MatthewGauthier above. Commented Dec 31, 2019 at 13:26
  • 1
    Emptying the password field is definitely the wrong way to do it. If the field is "x", logins use the /etc/shadow file to determine the password. If the field is "*" (or anything that isn't an encrypted password), logins via password will never work. If the field is empty, then unless some other mechanism prevents it, anyone can log in to the account without providing any password at all., the exact opposite of what you want to accomplish. sudo vipw and changing the field to "*" will effectively disable logins via password, regardless of the method used (ssh, rlogin, etc.). Commented Dec 31, 2019 at 23:57

2 Answers 2

Reset to default
8

You don't need to edit the /etc/passwd file directly, although you can if you insist.

passwd --lock pi    # Lock the "pi" user account

You can see further options, including how to unlock a locked account, with man passwd. Needless to say, this command must be run with root privileges.

Now that I see you have edited your question to explain that you want to disable password-based authentication for ssh, this can be enforced with a simple edit to /etc/ssh/sshd_config:

PasswordAuthentication no

Remember to restart the service, systemctl restart sshd

Improve this answer
0

While @roaima is correct, passwd command or the sshd_config are probably what you want, I want point out a few alternatives:

1) Add an exclamation point to the beginning of the password (which is actually what passwd -l does, see the man page). Note that the actual password hash is in /etc/shadow, not /etc/passwd.

2) Disable ("pre-expire") the account with usermod --expiredate 1 (or any other day in the past, also from the passwd man page)

3) Change the shell to "/usr/sbin/nologin" via either chsh -s /usr/sbin/nologin or editing /etc/passwd. This is used by many debian children to identify a system/service account to stymie injection attacks against specialized accounts (apache, mail, sshd etc.).

Improve this answer
2
  • 1
    Any of these will prevent the OP from using ssh logins at all. Commented Jan 3, 2020 at 18:02
  • Only first option works for me. Commented Jan 7, 2020 at 0:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.