Creating a user without a password

Question

I'm trying to create a user without password like this:

sudo adduser \
   --system \
   --shell /bin/bash \
   --gecos ‘User for managing of git version control’ \
   --group \
   --disabled-password \
   --home /home/git \
   git

It's created fine. But when I try to login under the git user I'm getting the password entering:

su git
Password:...

When I leave it empty I get an error:

su: Authentication failed

What's wrong?

Nothing is wrong, the authentication failed as expected. You won't get a "there is no password, you can't login" error message. — scai, Nov 26 '12 at 13:43
But I need to create .ssh folder under the git user, how should I do that? — Erik, Nov 26 '12 at 13:46
Either create it as root and set the correct permissions, or execute su git as root where you don't have to provide a password. — scai, Nov 26 '12 at 13:46
@Erik Can you provide output of sudo grep git /etc/shadow? — Karlson, Nov 26 '12 at 14:45
I just wanted to point out that letting the git user have Bash as a shell is a bad idea, security wise. That would allow users of this repo to get a shell in your server.
If you set the shell to /usr/bin/git-shell you can limit their account to using git and nothing else. (You should also limit SFTP access but that can only be done from /etc/sshd_config).

Now, once you changed the shell, "su" won't work as-is. You'll have to do "su -s /bin/sh git" instead. — MarioVilas, Mar 03 '20 at 16:17
Besides the recommendation of not using an interactive shell, also note that system accounts home prefix is usually not /home, but /var/lib, /etc or similar (or even no home). They are meant for automated services, not actual (human) users. Why bother with --system if you're changing all defaults to the values meant for human users? — MestreLion, Aug 24 '23 at 05:02

score 92 · Answer 1 · answered Sep 12 '14 at 01:32

92

The --disabled-password option will not set a password, meaning no password is legal, but login is still possible (for example with SSH RSA keys).

To create an user without a password, use passwd -d $username after the user is created to make the password empty. Note not all systems allow users with empty password to log in.

answered Sep 12 '14 at 01:32

pallxk

1,235

6

This doesn't seem to work in version 16 ubuntu – Daniel Tate Nov 08 '17 at 03:40
1

@DanielTate got it kind of working with: https://unix.stackexchange.com/a/472968/32558 – Ciro Santilli OurBigBook.com Oct 03 '18 at 12:13

score 48 · Accepted Answer · edited Apr 28 '22 at 12:24

48

You've created a user with a “disabled password”, meaning that there is no password that will let you log in as this user. This is different from creating a user that anyone can log in as without supplying a password, which is achieved by specifying an empty password and is very rarely useful.

In order to execute commands as such “system” users who don't log in normally, you need to hop via the root account:

su -c 'su git -c "git init"'

or

sudo -u git git init

If you want certain users to be able to run commands as the git user without letting them run commands as root, set up sudo (run visudo as root and add a line like %gitters ALL = (git) ALL).

edited Apr 28 '22 at 12:24

terdon

242,166

answered Nov 27 '12 at 01:13

Gilles 'SO- stop being evil'

829,060

Another one: sudo su - git git init – pylover Dec 07 '19 at 07:51
Ubuntu 19.10 seems like does not have --disabled-password parameter, could there be any alternative solution – alper Jul 07 '20 at 19:15
@alper This has nothing to do with my answer. But anyway, yes, it does. – Gilles 'SO- stop being evil' Jul 07 '20 at 19:40
When I do sudo su git -c "cat main.py" it can read the files where sudo operation is perform. Is it possible to prevent that forcing switched user to run the command in its home directory rather than main user's directory? – alper Jul 07 '20 at 19:50
1

@alper Write the full path: sudo -u git cat /wherever/main.py. Or add a cd command: sudo -u git sh -c 'cd /wherever && cat main.py'. If you want to be sure that the other user doesn't get access to the current directory even if the command doesn't do what was intended, change directories outside: (cd /wherever && sudo -u git cat main.py) – Gilles 'SO- stop being evil' Jul 07 '20 at 20:02
It does not allow me to do cd I am not sure why sudo: cd: command not found. But I am able to do other solutions – alper Jul 07 '20 at 21:12
1

@alper You didn't use the commands I posted. You used one of many variants (too many for me to guess the exact one) that would result in this particular error. You need to invoke a shell for cd and &&. – Gilles 'SO- stop being evil' Jul 07 '20 at 21:20
Thanks @Gilles'SO-stopbeingevil' // Ah I forget to use sh, now it works – alper Jul 07 '20 at 21:28

score 12 · Answer 3 · answered Nov 26 '12 at 13:47

12

If you want to access the system under the git user you should use sudo:

sudo -s -u git

or

sudo su - git

answered Nov 26 '12 at 13:47

Didi Kohen

1,841

Ciro Santilli OurBigBook.com · Answer 4 · 2019-04-30T13:57:25.627

Create an user with empty password

sudo useradd test-user-0
echo test-user-0:U6aMy0wojraho | sudo chpasswd -e
su test-user-0

The password prompt still shows unfortunately.

But if you just hit enter without typing anything, and it logins as the user test-user-0.

The -e flags tells chpasswd that the password is already encrypted, and U6aMy0wojraho is the hash of the empty string.

Tested on Ubuntu 18.04.

Terminal autologin with getty -a

On the terminal at least, you don't need to create an user without a password to allow someone to not type their passwords every time.

I was able to do this on BusyBox by modifying inittab: How to login automatically without typing the root username or password in Buildroot BusyBox init?

So I believe that it should not be very hard to adapt that technique by modifying Ubuntu 18.04's systemd init system scripts to setup a getty -a <user> terminal as mentioned in that answer, although I haven't tried to do it myself.

score 10 · Answer 5 · edited Dec 04 '19 at 15:44

10

I think this is what you want:

adduser --disabled-password --shell /bin/bash --gecos "User" $username

You'll be able to

su $username

to run commands as that user, in /bin/bash or whatever shell you specify. --gecos "User" just put "User" into the comment field so you aren't prompted for that information. You can put whatever you want into that field.

edited Dec 04 '19 at 15:44

Michael Lihs

103

answered Nov 14 '18 at 03:19

Douglas Krugman

101

1

Note that adduser from shadow-utils 4.1.5.1 does not have the option --disabled-password – Valerio Bozz Jul 27 '23 at 13:16

score 0 · Answer 6 · answered Jun 30 '20 at 08:12

Once you created a user with this command-line option --disabled-password follow below instructions as root user

sudo visudo

Add below line at EOF.

<username> ALL=(ALL) NOPASSWD:ALL

Save visudo file. Now try to execute sudo commands with newly created user. It should work.

score 0 · Answer 7 · answered Mar 25 '22 at 15:07

0

For some versions of adduser there is a -p option for supplying the encrypted password, however if an empty string is supplied it is the same has setting no password: adduser -p '' mypasswordlessuser

answered Mar 25 '22 at 15:07

Kaktis

1

Which versions are those? The latest debian version (3.134) doesn't have that flag https://manpages.debian.org/unstable/adduser/adduser.8.en.html – Ben Creasy Oct 07 '23 at 16:51

Creating a user without a password

7 Answers7

Linked