User created without a password behaves as if he had one

passwordsudousers

Inside one of my scripts, I created an user based on a directory arrangement on another machine.

The thing is that this user, created without a password, behaves just as he had one : he has sudo rights but I simply can't sudo because it asks for a password that doesn't exist. I know I could simply passwd him as root, but the devised system has to work without intervention from local root privileged users.

I also cannot passwd as the user in question since passwd asks me for the same inexistant password.

I suppose that it is intended behavior, but then what is the eventual default password and what can I do to circumvent this ?

EDIT : Here is what the script does :

1: it rsyncs the home directories of the users who should be created or updated in /opt/sshgw/home (sshgw means ssh gateway) from our ssh gateway machine

2: it removes all authorized keys for every user of the machine running the script

3: it removes every user from the wheel group and performs usermod -L (I am not the author of the script and I do not really know why he locks the account, but whatever.) Though keep in mind that at this point only existing users are modified.

4: It creates users if they have been retrieved from the sshgw and they are not present on the local machine, then, if specified, they are added the wheel group. It then adds their public keys to their proper home directories and finally performs usermod -U.

The user's entry in /etc/passwd is normal.

Upon calling passwd, the users gets asked his current password (which can not exist for a user who has just been created without a password, mind you) in this fashion :

[splatpope@monitor sshgw]$ passwd
Changing password for user splatpope.
Changing password for splatpope.
(current) UNIX password:

I guess the culprit is usermod -U.

Best Answer

A user is created by default as a locked account. The field that should contain the password hash in /etc/shadow will contain !!. When an account is locked, that account is available to root only (root can su but logins aren't allowed). If you 'unlock' the account which simply removes the !! you will be allowed to change the password.

[root@test ~]# su - test
[test@test ~]$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password:
[test@test ~]$ exit
logout
[root@test ~]# passwd -u test
Unlocking password for user test.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)
[root@test ~]# passwd -u test -f
Unlocking password for user test.
passwd: Success
[root@test ~]# su - test
[test@test ~]$ passwd
Changing password for user test.
New password:

Best Answer

Related Solutions

Ssh – Can a linux user change their password without knowing the current password

Centos – Two ways to lock a password but only one to unlock

Related Question