I had a need to create a ‘guest’ account in one of my linux installs which allows anonymous users within a trusted intranet to login to a specially crafted script. One of the issues that I was faced with was with passwd refusing to accept a blank password. To let empty password logins, we must manually change the account password.
When we look at /etc/shadow, we will see something similar to:
The underlined part is the password hash. The hash is delimited by $. Things to know:
- first $1 means the hash is a md5 hash
- second $ADUODeAy is the salt
- third $gRz7rO6P5lFcPpYwqd7Eb0 is the actual password hash
To generate this hash manually, we can use openssl:
# openssl passwd -1 -salt ADUODeAy Password: [enter] $1$ADUODeAy$eCJ1lPSxhSGmSvrmWxjLC1
Note that the first parameter, -1, tells openssl to use md5 to generate the hash. This is the same 1 from the original hash above.
Replace the existing hash in /etc/shadow with the hash generated by openssl. The account now essentially has an empty password.
- You will need to temporarily change the permission of /etc/shadow in order to write to it.
- You will need to enable ‘PermitEmptyPasswords’ in /etc/ssh/sshd_config for empty password logins to work
- This can easily be a security risk to your machine! Ensure the account and server is locked down or use SSH keys for passwordless logins! Remember, by default, users can SSH tunnel through this guest account. You must consider the implications of enabling such an account on your machine.