Remove user password (to prevent ssh login using password).

martin_ · Mar 2, 2013

How to remove a user's password and thus block that user from logging in with ssh (I use a key to log in)? I tried it to be empty, but a funny thing happens - it lets me in with no password.

fonz · Mar 2, 2013

martin_ said:
How to remove user password and thus block user from log[red]g[/red]ing to [red]in with[/red] ssh (i[red]I[/red] use key to log in)?

Use vipw(8) to set the user's password to "*", as in this example:

Code:

fonz:[b][red]*[/red][/b]:1001:10000::0:0:A.J. "Fonz" van Werven:/home/fonz:/bin/tcsh

martin_ said:
I tried it to be empty, but funny thing happens - it lets me in with no password.

Of course it does. That's normal behaviour.

martin_ · Mar 2, 2013

Thanks both fonz for perfect answer (it worked exactly like I expected) and DutchDaemon for perfect grammar (I am emulated speaker (non-native :stud), working on my English every day!).

fluca1978 · Mar 4, 2013

Please consider that OpenSSH has specific options for AllowUsers and DenyUsers.

fonz · Mar 4, 2013

fluca1978 said:
Please consider that OpenSSH has specific options for AllowUsers and DenyUsers.

Also look at PasswordAuthentication and ChallengeResponseAuthentication, to be found in /etc/ssh/sshd_config and explained in the manpage sshd_config(5).

kpa · Mar 4, 2013

The most safe option to disable an account is to use pw(8):

# pw usermod name -h -

If a value of â€˜-â€™ is given as the argument fd, then the
password will be set to â€˜*â€™, rendering the account inaccesâ€
sible via password-based login.

fonz · Mar 4, 2013

kpa said:
# pw usermod name -h -

That essentially does the same as my vipw(8) solution except that it's a single command and therefore a bit less error-prone than editing /etc/master.passwd, provided that one can remember the exact pw(8) syntax, which many find challenging

kpa · Mar 4, 2013

Remembering that a star in the password field represents a disabled account can be equally challenging

martin_ · Mar 5, 2013

Thanks for detailed expertise. For me both answers are quite challenging, so all I will remember is that I asked this question here..

johnd · Mar 5, 2013

Why not just use

# pw lock name
# pw unlock name

Very easy to remember.

fluca1978 · Mar 6, 2013

johnd said:
Why not just use

# pw lock name
# pw unlock name

Very easy to remember.

Not sure but the question was to prevent the user to log in via ssh, so I guess the account should not be locked at all. Anyway all this thread is full of a set of options that allows the author to do nearly everything he wants with the accout.

fonz · Mar 6, 2013

fluca1978 said:
Not sure but the question was to prevent the user to log in via ssh,

No, the question was to prevent the user from logging in using a password and to only allow logging in over SSH using a keyfile.

fluca1978 · Mar 6, 2013

fonz said:
No, the question was to prevent the user from logging in using a password and to only allow logging in over SSH using a keyfile.

Then locking the account is not the answer, tweaking the sshd_config is.
Again, the user now has enough information to do what he wants.