What happens if I delete all user passwords?

Question

I have a Fedora VPS with a root user that has no password. I login with SSH keys.

I had another, less privileged account on that server, used for web administration. I've now deleted its password too.

If there are no users with passwords on a server, what exactly would happen if I were to lose my SSH key, for example? Would the server become forever unavailable since there is no way to log in on it?

Also, how does the sudo program behave when neither the root nor the calling user have passwords? I tried it and it didn't even ask me for a password: it just worked, since I have that user ALL=(ALL) ALL line in my sudoers file (should I change that?)

Answer 1

if you remove the 2nd field of the /etc/passwd file then users can login without any challenge. Simply attempting to login will allow them in. So something like this is probably not something you'd want to do.

root:$1$iM/2lekk$rXUAcF5fY8ddLL.B1bkH63:12242:0:99999:7:::

/etc/passwd primer

                               

1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
4. Group ID (GID): The primary group ID (stored in /etc/group file)
5. User ID Info: The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command.
6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

borrowed from Understanding /etc/passwd File Format

disabling password logins

There is a subtle different between this field being blank and containing an x (:x:), and a :!: in the /etc/shadow file. This means that the account is intentionally setup to not be allowed to login, which is probably more what you're after.

/etc/shadow

root:!:15669:0:99999:7:::

The same can be done for any account, which is probably the way I would suggest you do this if you truly want to only allow ssh logins using a public/private key.

Other questions

If there are no users with passwords on a server, what exactly would happen if I were to lose my SSH key, for example? Would the server become forever unavailable since there is no way to log in on it?

No so long as you have physical access to the server, you can always gain access to the system. Will require a reboot and might be slightly difficult using a VPS but should be possible.

You typically boot the sytem into single user mode at which point you can edit the /etc/passwd & /etc/shadow files as needed.

Also, how does the sudo program behave when neither the root nor the calling user have passwords? I tried it and it didn't even ask me for a password: it just worked, since I have that user ALL=(ALL) ALL line in my sudoers file (should I change that?)

Yes without passwords using sudo becomes more difficult. There are methods to use other sources when dealing with sudo. See this U&L Q&A titled: Set sudo password differently from login one.

Answer 2

Beware that there are several things that could be called “deleting a password”. On Linux:

• passwd -d USER sets the account to allow logging in without a password. (Some services, in particular ssh, tend to be set up to block logins in this case.)
• passwd -l USER locks the account's password: no password will be accepted. It is still possible to log in by other means such as ssh keys or sudo.`
• usermod -e 1 USER locks the account (by setting the password's expiration date to a past date): it becomes impossible to log into this account via any service.

I assume that you're refering to the second meaning: you've made these accounts impossible to log in with a password, but still accessible via ssh with a key, or with sudo.

If you've disabled the password for your account, you will no longer be able to use sudo. You have a grace period during which sudo isn't prompting you again for your password. After that, unless you've changed the default configuration in an unusual way, sudo will prompt you for your password, which you will be unable to enter since there is no more password. This doesn't apply to sudoers rules with the NOPASSWD tag.

Removing passwords does not make the system more secure than picking strong passwords would. If your VPS offers a way to log in on a virtual console, then generate a long, random password for the root account, test that it works, print it out and put the piece of paper in your safe. That way you have a way to recover access to your system if something goes wrong (such as “oops, I locked myself out of ssh” or “oops, I locked myself out of sudo”). For your account, pick a shorter password that you can memorize, disable passwords for SSH logins (optional), and type your password to sudo to become root. Having an extra level of authentication from your normal account to root is useful because it's a lot harder to plant an undetected trojan in a non-root account.

Answer 3

Having no password is fine most of the time.

Yes, if you only allow authentication via ssh key, and you loose your ssh key, you cannot login anymore. In this case you can for example boot some live CD, mount the original system and add a root password. (If you don't have such an option, maybe it's better to have a root password, just in case.)

Sudo can be configured to not ask any password. There is the NOPASSWD: option to activate this. (See man sudoers.)

Be aware that there are lots of other ways available for authentication. You can activate them by configuring your PAM system.