7th July 2014

Creating User Account With Empty Password on Linux

Assume you want to set-up a user-account which can only log-in to your machine if he sits in front of it and has to give no password. Let's name this user kiosk. Unfortunately there is apparently no single command-line switch to accomplish this with useradd. The task at hand is not be confused with automatic log-in at boot time.

groupadd -g 1011 kiosk
useradd -u 1011 -g 1011 -c Kiosk -s /your/command/goes/here -m kiosk
mkpasswd -m sha-512 -S My.Salt3

mkpasswd asks for a password. You just type Enter. The output of mkpasswd is pasted into /etc/shadow and replaces the gibberish in the second field. Fields are separated with colons in /etc/shadow, just as in /etc/passwd. Of course, you can use whatever salt you please. Above salt was taken as My.Salt3.

ArchLinux does not have mkpasswd (mkpasswd is already used by expect). Instead use

perl -e 'print crypt("","\$6\$My.Salt3\$") . "\n"'

The first argument of crypt() is the empty string, because we want an empty password.

Check that /etc/ssh/sshd_config has PermitEmptyPasswords set to no.

The above kiosk user is an example for a kiosk-application. Another application is to use a shutdown-user, i.e., a user whose whole purpose is just to shut down the machine. For a shutdown user one adds the following line to /etc/sudoers:

shutdown ALL=(ALL:ALL) NOPASSWD: /sbin/shutdown

Above commands where digested from two good resources:

  1. How to create a linux user with an empty/blank password
  2. Understanding and generating the hash stored in /etc/shadow (dead link)
  3. How to create an SHA-512 hashed password for shadow?

It is quite surprising that the passwd command does not have an option to set an empty password, though, look for passwd -d.

In former times it was not unusual for a Unix system to have a guest account, where one can see the current date and time, the people logged into the machine, etc. Nowadays Unix machines with accounts without passwords seem to be quite rare.

Added 16-Mar-2017: Above comments are valid for tty and xdm. For gdm use the procedures as outlined in GDM. It says:

If you want to bypass the password prompt in GDM then simply add the following line on the first line of /etc/pam.d/gdm-password:

auth sufficient pam_succeed_if.so user ingroup nopasswdlogin

Then, add the group nopasswdlogin to your system. See Groups for group descriptions and group management commands.

Now, add your user to the nopasswdlogin group and you will only have to click on your username to login.

Also see Linux pam and /etc/shells.

Categories: Linux, security
Tags: , , ,
Author: Elmar Klausmeier