Scripting an 'empty' password in /etc/shadow

Posted by paddy on Super User See other posts from Super User or by paddy
Published on 2012-12-09T22:49:01Z Indexed on 2012/12/09 23:16 UTC
Read the original article Hit count: 319

I've written a script to add CVS and SVN users on a Linux server (Slackware 14.0). This script creates the user if necessary, and either copies the user's SSH key from an existing shell account or generates a new SSH key.

Just to be clear, the accounts are specifically for SVN or CVS. So the entry in /home/${username}/.ssh/authorized_keys begins with (using CVS as an example):

command="/usr/bin/cvs server",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ....etc...etc...etc...

Actual shell access will never be allowed for these users - they are purely there to provide access to our source repositories via SSH.

My problem is that when I add a new user, they get an empty password in /etc/shadow by default. It looks like:

paddycvs:!:15679:0:99999:7:::

If I leave the shadow file as is (with the !), SSH authentication fails. To enable SSH, I must first run passwd for the new user and enter something.

I have two issues with doing that. First, it requires user input which I can't allow in this script. Second, it potentially allows the user to login at the physical terminal (if they have physical access, which they might, and know the secret password -- okay, so that's unlikely).

The way I normally prevent users from logging in is to set their shell to /bin/false, but if I do that then SSH doesn't work either!

Does anyone have a suggestion for scripting this? Should I simply use sed or something and replace the relevant line in the shadow file with a preset encrypted secret password string? Or is there a better way?

Cheers =)

© Super User or respective owner

Related posts about linux

Related posts about ssh