1

I created Ubuntu server in VirtualBox and created additional user. Than locked it with passwd -l user. Then when I try to ssh that user, it keeps asking for password, but even if I input password, that was there before locking, it appears it isn't valid. I'm new to Ubuntu so I'm a bit confused here.

Artyom Tsoy
  • 111
  • 4

2 Answers2

3

A locked password doesn't mean the system won't ask for a password. It will ask for a password but it is impossible to give a correct password and login. That's how it works. If you unlock the password the old password will be reset.

From man passwd:

   -l, --lock
       Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it
       adds a ´!´ at the beginning of the password).

       Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To
       disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

   -u, --unlock
       Unlock the password of the named account. This option re-enables a password by changing the password back to its previous value (to the value
       before using the -l option).

I'm not sure that when the manual says it adds a ! to the beginning of the password is correct, I think it adds that ! to the beginning of the hashed value in /etc/shadow. Please correct me if I'm wrong.

falconer
  • 15,026
  • 3
  • 48
  • 68
  • So to login as locked user over ssh I need to unlock it, login through ssh normally, and then lock it again? Or there is workaround? – Artyom Tsoy Jan 24 '14 at 10:53
  • @DemoZluk If you want to use password based authentication in the ssh and "login" technically you have to do that, yes. But as the manual says, you can use e.g. key-based authentication in the ssh and then it is not needed to have an unlocked account. (as the key based authentication doesn't care about the account password, just about the key.) You can also switch to that user account with sudo su USERNAME if you need that kind of solution. – falconer Jan 24 '14 at 10:57
  • @DemoZluk If you tell what you want to achieve I can point you in the direction. But now I'm a little bit confused on what are you trying to achieve. :) – falconer Jan 24 '14 at 11:04
  • Well, I plan to do key-based authentication. I added public key of host machine to user .ssh/authorized_keys, so I thought it would be sufficient for ssh. I need to add some option to login just with my public key, so it wouldn't ask for password? – Artyom Tsoy Jan 24 '14 at 11:13
  • @DemoZluk Ok. Please check the answers here. Those should do what you want. If not, report back. – falconer Jan 24 '14 at 11:23
  • @DemoZluk Likely you just didn't allow Pubkeyauthentication in the server's /etc/ssh/sshd_config – falconer Jan 24 '14 at 11:26
  • Well the most strange thing is that I can login normally to my guest machine, but when I try to access as new user it prompts for password. – Artyom Tsoy Jan 24 '14 at 12:02
  • let us continue this discussion in chat – falconer Jan 24 '14 at 12:03
0

Well in the end I figured out the source of the problem. Actually I had permission all messed up, because I created .ssh/authorized_keys from sudo and chmod 700 sat permissions to read and change permissions only for superuser...
Also I needed to ssh host machine to add it to list_of_known_hosts

Artyom Tsoy
  • 111
  • 4