Ubuntu – Is there some default password for a new user in Linux

passwordUbuntuusers

I am a Windows user gradually moving towards Linux. In Windows we have an option of either having or not having some password for a user. Once we do not put a password we can directly log in to the system.

However, in Linux this is not possible as every user must have a password. Even if one does not give a password not typing anything and simply pressing the Return key doesn't log one in (unlike Windows). Is there some default password set for every user or any other mechanism by means of which a password is always assigned?

Best Answer

Authentication can be handled in many different ways in Linux. Password authentication via /etc/passwd and /etc/shadow is the usual default. There is no default password.

A user is not required to have a password. In a typical setup a user without a password will be unable to authenticate with the use of a password. This is common for system users which are used to run daemons, but are not intended to be used directly by a human.

You can configure Linux to allow login to the desktop automatically, or allow login without a password. Authentication is done via PAM, which is highly configurable. The Arch wiki offers the following PAM configuration for login without a password:

If you want to bypass the password prompt in GDM then simply add the following line on the first line of /etc/pam.d/gdm-password:

auth sufficient pam_succeed_if.so user ingroup nopasswdlogin

Then, add the group nopasswdlogin to your system. See Groups for group descriptions and group management commands. Now, add your user to the nopasswdlogin group and you will only have to click on your username to login.

Related Solutions

Why user and root passwords cannot be empty on Linux

You can have users without passwords. It's just a very frowned upon practice.
The low level tools like passwd support it (passwd -d to make a password empty). But the high level friendly tools that are provided by the distribution are generally what don't allow it.

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Allowing a less trusted user to run apt-get update is ok. They worst they can do is consume a lot of bandwidth and fill up some disk space, and they have plenty of other means to do this unless you've taken stringent measures to prevent this.

Allowing a user to run apt-get upgrade is likely to give them root access. Some packages query the user and might allow a shell escape; for example the user who has access to the terminal that apt-get upgrade (or any dpkg -i call) is running on might get prompted for what to do if a configuration file has been updated, and one of the options there is to run a shell to examine the situation.

You need to restrict the command some more:

#!/bin/sh
set -ex
exec </dev/null >"/var/log/automatic-apt-upgrade-$(date +%Y%m%d-%H%M%S)-$SUDO_USER.log" 2>&1
apt-get --assume-no upgrade

This shouldn't give the user a way to become root, since they can't interact with the package manager. As upgrades can sometimes break a system, and a user with only these permissions wouldn't be able to repair anything, this should only be done with a stable release, with only security updates pending. If it's a kernel update, let a user with full root access decide when to trigger a reboot.

By the way, the user wouldn't be able to inject package content — to do that, they'd need to be in control of the server distributing the package, and in addition to the server signing the package if the package is signed (which is the case for all official sources). It's irrelevant for this attack vector who's in command of the machine at the time of the upgrade.

All this being said… use unattended-upgrades, if that's what you want.

Best Answer

Related Solutions

Why user and root passwords cannot be empty on Linux

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Related Question