SSH Login From User With Empty Password

Home » CentOS » SSH Login From User With Empty Password
CentOS 15 Comments

Hello list,

on a CentOS 6.4 machine I’m creating accounts with empty passwords. Each user’s public key is located in /.ssh/authorized_keys.

When trying to SSH into that machine, following error message is displayed:
Permission denied (publickey).

In /etc/ssh/sshd_config I’ve set:
PasswordAuthentication no UsePAM no

If I set a password for the users, the public key auth works without any problems.

Could anyone tell me what I’m missing here?

Thanks Michael

15 thoughts on - SSH Login From User With Empty Password

  • This error is when you SSH in (with PuTTY, for example) without attaching the private key.

    ——– Original Message ——

  • I’ve never been completely clear on what UsePAM yes versus UsePam no actually does, other than that setting it to no seems to make things a lot more complicated. Perhaps you could try setting it to yes and see if that solves the problem?

  • displayed:

    Check /var/log/secure on the server for more details…

    Check the permissions on the file and .ssh directory… Needs to be owned by the user and 600 on the file… This is a very common issue…

    Also check context on the file and folder if selinux is enabled.

  • From what I read, it sounds like you are saying that you can’t log in with keypairs unless a password has been set. If so, this appears to be incorrect, at least as of CentOS 6. To test this, I did the following:

    [root@norman ~]# adduser testnopw
    [root@norman ~]# su – testnopw
    [testnopw@norman ~]$ mkdir .ssh && chmod 600 .ssh;
    [testnopw@norman ~]$ nano .ssh/authorized_keys
    < - pasted id_dsa.pub from another account ->
    [testnopw@norman ~]$ chmod 600 .ssh/authorized_keys

    Now, as another account on the same server:

    [bens@norman] SSH testnopw@localhost Enter passphrase for key ‘/home/bens/.ssh/id_dsa’:
    [testnopw@norman ~]$

    Never, in the above script, was a password set.

  • Thanks everyone,

    secure log tells me exactly what the problem is:
    “User username not allowed because account is locked”

    Setting a password for that account unlocks it and SSH works as expected. I guess I have to work on my account creation routine.

    Michael

    Am 10.10.2013 21:49, schrieb James Hogarth:

  • you might look into mkpasswd, its probably excessively complicated, but it can set a users password

    # mkpasswd -l 20 xyzzy zhRovbjh24hcqrg?xqoF

    sets a gnarly 20 character password for the xyzzy user. easy to script.

  • You are right, that would do the trick when writing a script. But what I’m actually trying to accomplish is creating user accounts with the configuration manager “salt”.

    In a blog post someone explained how to create users with it and he didn’t set a password, so I gave it chance and came across the SSH problem.

    Am 11.10.2013 10:14, schrieb John R Pierce:

  • Am 11.10.2013 09:27, schrieb Michael Schultz:

    I haven’t tried but maybe you could just try the obvious and unlock the account?
    I think it is passwd -u [user]

  • This only works when there’s been a password set for the account before locking it. For obvious reasons empty passwords are not allowed :)

    Am 11.10.2013 10:58, schrieb Rainer Traut:

  • I question why you want accounts without passwords when logging in via SSH and public keys does not use a password or even ask for one. Also anyone logged in can change users with only an su – and not need a password.

    Have you tried setting PASS_MIN_LEN in /etc/login.defs to 0?

    Mike

  • Am 11.10.2013 14:51, schrieb Markus Falb:

    My passwd and shadow look like the ones in your example, SELinux is disabled.

    I think I’m just going to set account passwords, SSH pubkey auth works that way and it’s a lot more secure.

    Thank you again for your help everyone, Michael

LEAVE A COMMENT