, 2 min read
Creating User Account With Empty Password on Linux
Original post is here eklausmeier.goip.de/blog/2014/07-07-creating-user-account-with-empty-password-on-linux.
Assume you want to set-up a user-account which can only log-in to your machine if he sits in front of it and has to give no password.
Let's name this user kiosk
.
Unfortunately there is apparently no single command-line switch to accomplish this with useradd
.
The task at hand is not be confused with automatic log-in at boot time.
groupadd -g 1011 kiosk
useradd -u 1011 -g 1011 -c Kiosk -s /your/command/goes/here -m kiosk
mkpasswd -m sha-512 -S My.Salt3
mkpasswd
asks for a password. You just type Enter
. The output of mkpasswd
is pasted into /etc/shadow
and replaces the gibberish in the second field. Fields are separated with colons in /etc/shadow
, just as in /etc/passwd
. Of course, you can use whatever salt you please. Above salt was taken as My.Salt3
.
ArchLinux does not have mkpasswd
(mkpasswd
is already used by expect
). Instead use
perl -e 'print crypt("","\$6\$My.Salt3\$") . "\n"'
The first argument of crypt()
is the empty string, because we want an empty password.
Check that /etc/ssh/sshd_config
has PermitEmptyPasswords
set to no
.
The above kiosk
user is an example for a kiosk-application. Another application is to use a shutdown-user, i.e., a user whose whole purpose is just to shut down the machine. For a shutdown
user one adds the following line to /etc/sudoers
:
shutdown ALL=(ALL:ALL) NOPASSWD: /sbin/shutdown
Above commands where digested from two good resources:
- How to create a linux user with an empty/blank password
- Understanding and generating the hash stored in /etc/shadow (dead link)
- How to create an SHA-512 hashed password for shadow?
It is quite surprising that the passwd
command does not have an option to set an empty password, though, look for passwd -d
.
In former times it was not unusual for a Unix system to have a guest account, where one can see the current date and time, the people logged into the machine, etc. Nowadays Unix machines with accounts without passwords seem to be quite rare.
Added 16-Mar-2017: Above comments are valid for tty and xdm. For gdm use the procedures as outlined in GDM. It says:
If you want to bypass the password prompt in GDM then simply add the following line on the first line of
/etc/pam.d/gdm-password
:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
Then, add the group
nopasswdlogin
to your system. See Groups for group descriptions and group management commands.
Now, add your user to the nopasswdlogin
group and you will only have to click on your username to login.
Also see Linux pam and /etc/shells.
Added 30-Apr-2024: It seems that a passwordless user id is no longer possible in Arch Linux.
Another way to create passwords is with openssl
like so:
openssl passwd -6 -salt 123456789abcdef your-Password
However, openssl
doesn't allow the password be empty.