I created an account ckurs on my FreeBSD 10 workstation. This account uses a custom shell-script as a login-shell that attaches the user to a tmux-session in read-only mode. I have sufficiently convinced myself that this is safe.
I would like to give others the ability to login to the user ckurs without providing any form of authentication (no password, no keys, nothing). In the past, I set a simple password for this account but getting users to type that in correctly always caused a little kerfuffle, so I'd like to avoid that.
I started by setting a blank password with pw usermod ckurs -w none. This works for local logins and su but not when I log in via ssh, instead, authentication is refused after prompting for a password three times.
What option do I need to set where in order to allow login without a password? Best would be a configuration that only applied to that one account.
I believe I have not changed any configuration regarding authentication on the system, I believe the system uses PAM to authenticate users by default (I'm not sure though), the PAM configuration hasn't been changed from the defaults delivered by FreeBSD 10.
Best Answer
To allow unauthenticated login over SSH using PAM, all of the following must be configured:
The user account must have “no password” set. This is different from “empty password” and can be achieved with
In
sshd_config, the following option must be set beforeUsePAMis set, otherwise the option is ignored:In the PAM configuration file for
sshd, thepam_unixmodule in theauthcategory must be loaded with thenullokoption, e. g.