[CentOS] SSH login from user with empty password
David C. Miller
millerdc at fusion.gat.com
Thu Oct 10 23:51:01 UTC 2013
----- Original Message -----
> From: "Lists" <lists at benjamindsmith.com>
> To: centos at centos.org
> Sent: Thursday, October 10, 2013 3:36:02 PM
> Subject: Re: [CentOS] SSH login from user with empty password
>
> On 10/10/2013 03:12 PM, David C. Miller wrote:
> > SSH by default will use a key pair if found but then drops back to
> > login password. It will also fall back to password if the keypair
> > has
> > a passphrase and you just hit retrun without type it in. SSH won't
> > allow you to connect because the password in the shadow file is
> > blank.
> > Basically if you don't have a password it should not allow you to
> > login regardless. From a security standpoint it makes sense to
> > never
> > allow blank passwords. Just give the account a long 25 character
> > random password and then setup SSH key pairs.
>
> From what I read, it sounds like you are saying that you can't log
> in
> with keypairs unless a password has been set. If so, this appears to
> be
> incorrect, at least as of CentOS 6. To test this, I did the
> following:
>
> [root at norman ~]# adduser testnopw
> [root at norman ~]# su - testnopw
> [testnopw at norman ~]$ mkdir .ssh && chmod 600 .ssh;
> [testnopw at norman ~]$ nano .ssh/authorized_keys
> < - pasted id_dsa.pub from another account ->
> [testnopw at norman ~]$ chmod 600 .ssh/authorized_keys
>
>
> Now, as another account on the same server:
>
> [bens at norman] ssh testnopw at localhost
> Enter passphrase for key '/home/bens/.ssh/id_dsa':
> [testnopw at norman ~]$
>
> Never, in the above script, was a password set.
I just tested this myself and indeed it even works with a key pair that does not have a passphrase. I stand corrected.
David.
More information about the CentOS
mailing list