Tuesday, October 19, 2010

Gentoo, useradd, and SSH

I had to create a user on a Gentoo box today for SSH, but after creating the user, he could not log in over SSH, it was very frustrating. It turns out the answer was simple, but not straight forward.

Not sure if this affects other versions of *nix, though I am sure it does.


useradd -m -p "password" user


That will not allow a user to login over ssh, you must use


passwd user


if you want your user logging in remotely. I am not sure what the distinction is between the -p argument in useradd and using passwd to assign a password to a user. Anyone know more about this?

5 comments:

  1. This sounds more like a configuration choice for /etc/ssh/sshd_config. Do a man on sshd_config and search for "PermitEmptyPasswords".

    You don't want to fudge with the default of "no". Allowing an account to log in without a password is very bad.

    There are exceptions to the rules, but you need to read-up and understand how to best secure OpenSSH before making such a change.

    ReplyDelete
  2. Specifying passwords as arguments is a really, really BAD IDEA. Besides you are doing it wrong:

    man useradd says:

    --snip--

    -p, --password PASSWORD
    The encrypted password, as returned by crypt(3). The default is to disable the password.

    Note: This option is not recommended because the password (or encrypted password) will be visible by users listing the processes.

    --snap--

    So you have to encrypt the passwort first. You can use mkpasswd for this. But PLEASE: Use pipes for supplying the password!

    ReplyDelete
  3. Interesting! I should have paid more attention to the man page...

    Thanks for the info!

    ReplyDelete
  4. useradd -m -p $(openssl passwd "password") user

    ReplyDelete
  5. Oddly enough, I encountered this issue myself quite recently.
    You can use the program "expect" to fill in passwords automatically in plain text for passwd, but it's not nearly as reliable as the other suggestions made here.

    ReplyDelete