[CentOS] SSH login from user with empty password
Lists
lists at benjamindsmith.com
Thu Oct 10 22:36:02 UTC 2013
On 10/10/2013 03:12 PM, David C. Miller wrote:
> SSH by default will use a key pair if found but then drops back to
> login password. It will also fall back to password if the keypair has
> a passphrase and you just hit retrun without type it in. SSH won't
> allow you to connect because the password in the shadow file is blank.
> Basically if you don't have a password it should not allow you to
> login regardless. From a security standpoint it makes sense to never
> allow blank passwords. Just give the account a long 25 character
> random password and then setup SSH key pairs.
From what I read, it sounds like you are saying that you can't log in
with keypairs unless a password has been set. If so, this appears to be
incorrect, at least as of CentOS 6. To test this, I did the following:
[root at norman ~]# adduser testnopw
[root at norman ~]# su - testnopw
[testnopw at norman ~]$ mkdir .ssh && chmod 600 .ssh;
[testnopw at norman ~]$ nano .ssh/authorized_keys
< - pasted id_dsa.pub from another account ->
[testnopw at norman ~]$ chmod 600 .ssh/authorized_keys
Now, as another account on the same server:
[bens at norman] ssh testnopw at localhost
Enter passphrase for key '/home/bens/.ssh/id_dsa':
[testnopw at norman ~]$
Never, in the above script, was a password set.
More information about the CentOS
mailing list