[Bug 1305228] Re: PasswordAuthentication "no" fails if user account has no password set

Seth Arnold 1305228 at bugs.launchpad.net
Wed Apr 9 22:37:52 UTC 2014 

There are several possible states of 'no password' -- the hashed
password field in /etc/shadow could be blank, could be a *, could be a
!, or could be a ! followed by a 'old password' that is currently
locked.

Do you have easy access to /etc/shadow lines that work as expected and
that don't work as expected? (Feel free to replace the hashed password
portions with xxx or something similar.)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1305228

Title:
  PasswordAuthentication "no" fails if user account has no password set

Status in “openssh” package in Ubuntu:
  New

Bug description:
  Adding the following options to the /etc/ssh/sshd_config file:

     PasswordAuthentication no
     UsePAM no

  For the purpose of disallowing logins by users via password (instead
  of public key).

  Login via public key does work as expected for users that HAVE a
  password defined (but will NEVER be requested per the configuration --
  as designed).

  For users created without a password, these options cause the ssh
  connection to fail with the error message:

     Permission denied (publickey).

  Setting a non-trivial password (of course) for the user causes the
  subsequent ssh connection to succeed.

  This seems counter to the intent of the sshd options -- to require a
  user to have a valid password to never ask the password and only
  accept public key authentication.

  Description:	Ubuntu 12.04.4 LTS
  Release:	12.04
  openssh-server version 1:5.9p1-5ubuntu1.3

  A *very* bad situation can occur if the root account has no valid
  password, and instead relies on public key authentication.  Setting
  these parameters in sshd_config will effectively lock the root user
  from logging in directly to the system!  Combine with locking out all
  the users, and you have a system with no user access!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1305228/+subscriptions

More information about the foundations-bugs mailing list