1

I'm writing a script that automatically creates a user using the useradd command (I need this one and not adduser).

I want to create it in a way that it is accessible only using ssh (the script already adds the public_key among authorized keys).

useradd --system --shell /bin/bash $NEW_USER

Does this command allow login by password? If yes, how can I disable it?

The objective I want to achieve is something like --disable-password of useradd described in this post: Creating a user without a password.

AndreaCostanzo1
  • 113
  • 1
    Do you set a password for the user? If not, the user has no password and will not be able to log in with a password. – Kusalananda Nov 27 '21 at 11:06
  • @they Perfect, that partially answers my question. However, in scripts, it's normal that I don't get prompted to insert the password? Why does this happen? – AndreaCostanzo1 Nov 27 '21 at 11:55
  • 1
    Adding to @they's comment, the useradd man page says: -p, --password PASSWORD The encrypted password, as returned by crypt(3). The default is to disable the password. i.e. if you don't set a password, it will be disabled. BTW, if you want to be sure, or if you need to disable the password for an existing account, you can run passwd -l username to lock the account (i.e. disable the password). – cas Nov 27 '21 at 12:22
  • I missed the last part when reading from man useradd. Thanks for the explanation – AndreaCostanzo1 Nov 27 '21 at 13:35
  • @cas You should make that an answer. – Hauke Laging Nov 27 '21 at 14:12
  • If you guys want to write the answer I will validate it to repay your effort. – AndreaCostanzo1 Nov 27 '21 at 17:51

1 Answers1

3

useradd creates an account with a disabled password by default if you don't give it one with the -p option.

From man useradd:

-p, --password PASSWORD

The encrypted password, as returned by crypt(3). The default is to disable the password.

BTW, if you need to disable the password for an existing account, you can run passwd -l username to lock the account (i.e. disable the password). From man passwd:

-l, --lock

Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ! at the beginning of the password).

Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

Users with a locked password are not allowed to change their password.

The fact that it just invalidates the password rather than deleting it allows it to be unlocked later with passwd -u, without the systems administrator needing to know what the original password was or setting it to some "default" password (possibly insecure, possibly well-known):

-u, --unlock

Unlock the password of the named account. This option re-enables a password by changing the password back to its previous value (to the value before using the -l option).

i.e. it removes the ! added to the beginning of the crypted password by the -l option.

cas
  • 78,579