1

Goal:

Maintaining a former colleagues system, I want to lock all password logins in order to only allow ssh key based logins.

Infos:

  • The CentOS 6.5 system does not offer any network based authentication features (no Kerberos, ldap, gssapi etc., /etc/nsswitch.conf knows only "files").

  • /etc/passwd shows all non-system users I expect.

Issue:

/etc/shadow shows only half of them. Locking their passwords with passwd -l username worked. Now I would like to see entries for the other users as well and that their passwords are locked, too.

Trial:

did a passwd -l username for one of the "missing" users, and the system gives me passwd: Success . But I still see no entry for this user in shadow. Any ideas?

MarkHelms
  • 171
  • 5
  • 15

2 Answers2

3

I think you should be able to disallow all password logins and allow only key based authentication on the system by setting the below configuration parameters in the global ssh configuration (usually in /etc/ssh/sshd_config) :

PubkeyAuthentication yes
PasswordAuthentication no

You will need to reload the sshd service after any change in the config file.

Rohit Nagpal
  • 116
  • 3
  • Thanks, but beside a correct config for sshd, which you advise, and which I already have in place, I also want a "normal" shadow file... – MarkHelms Aug 30 '17 at 07:52
2

Test more

The definite test if OS doesn't know the data such as password hash, expiry, etc. is:

getent shadow thatuser

If OS can get that data by any means (ldap or something) there is a non-empty line of output:

getent shadow thatuser
thatuser:x:::::::

If I use text editor to remove a line from /etc/shadow, there is no output.

Locking passwords

Your proposed password locking would work well whether there are shadow lines or not. Non-existing shadow line means a user cannot log in with a password.

Re-populating shadow

Former admins probably created some users by manually editing /etc/passwd. It looks ugly but it's not an error; OS is designed to handle that. A quick method of re-populating shadow is to loop over all passwd entries these commands:

chage -m 0 thatuser

This will create the missing /etc/shadow lines as simply login:x::0:::::. The side effect is that all existing /etc/shadow lines will reset the "minimal number of days between consecutive password changes" to zero. But that's not an often used setting and you probably know if you need it (company policy, etc.).

kubanczyk
  • 13,502
  • 5
  • 40
  • 55