For years, people have been asking how to create a guest account with no password in Ubuntu. Usually, someone replies that this a security risk and warns against proceeding. Then some other people recognize it as a security risk but still try to help the person… to no avail. The most commonly suggested “solution” is sudo passwd -d username, which is supposed to delete the password for username, at least according to man passwd:

-d, –delete
Delete a user’s password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless.

It does not work on Ubuntu, though.

A year and a half ago, someone created what I view as being a fairly complex workaround editing the PAM config and maintaining a separate text file listing users who are allowed a passwordless login. I’m not sure if that works or not, but the most straightforward way I could think to do this is copy what was done on the Ubuntu live CD. After all, on the Ubuntu live CD (also known as the Desktop CD), the username is ubuntu, but you’re not required to enter a password—you can just press Enter for the password and log in.

So I looked at the /etc/shadow file, which holds encrypted passwords for all users, on the live CD and found that the encrypted password for the user ubuntu is U6aMy0wojraho. So I tried editing the /etc/shadow file on my own installation of Ubuntu and changing the password for a test user from its previous encrypted password to U6aMy0wojraho, and I was able to log in as that user without entering a password.

You can find my new HowTo in the Tutorials and Tips section of the Ubuntu Forums.

14 Responses to “Creating a Passwordless Account in Ubuntu”

  1. Frak Says:

    Very Clever… Wouldn’t have thought about it myself.

  2. ubuntucat Says:

    I hadn’t thought of it for a while, and then I saw a thread in which someone claimed to be prompted for a username and password on the live CD.

    That made me search for the live CD password, and through my research I found out the password didn’t exist, so I got curious. If it’s blank, what’s in the /etc/shadow file, then?

  3. Scaine Says:

    Is this different from going into System/Admin/Login and enabling the Auto-Login feature? That’s what I use. It logs me in without asking for a password, but I DO have a password for any sudo operations that are required.

    So much better than the stupid UAC in Vista – you don’t need a password for that, you just have to click “Allow”.

    And while I’m on the subject, I love that Ubuntu assumes that you’re authorised for a certain amount of time after the first password challenge. Anyone who’s had to enable/disabled network cards in Vista is tearing their hair out at the endless UAC prompts while doing so…

  4. ubuntucat Says:

    Yes, this is completely different from autologin.

    For autologin, you have to pick a particular account that will log in after a certain time, and that account does have a password… you just don’t have to enter the password.

    For this tutorial, you’re actually creating a separate account that doesn’t autologin and it has no password. People often request this for family members who do not want to be bothered with remembering a password… or for guests to the family computer. They do not want an autologin because they have several accounts.

  5. kwilliam Says:

    Funny, I just set up a guest account on my Kubuntu machine and had the same problem. (“sudo passwd -d guest” didn’t let “guest” log in without a password, but instead prompted an error.)

    Luckily, KDM (Kubuntu’s login GUI) has a setting that allows you to specify which users can log in without typing in their password. So what I did was make a password for the guest account, but in the Login Manager under “Convenience” I allowed “guest” to log in without it. Perhaps GDM has a similar setting? If not, it may be possible to use KDM with Gnome without installing KDE… I’m not sure.

    However, I must admit that the whole /etc/shadow U6aMy0wojraho thing is very clever. I wonder what password they encrypted to get that?

  6. Very Vegan Says:

    > U6aMy0wojraho thing is very clever.
    > I wonder what password they encrypted to get that?

    Probably ‘password’ :-)

  7. lonetruth Says:

    I guess for me, the main question would be: “WHY”? As in, “Why would anyone want to do this?” Linux was meant to be a secure O/S. Trying to make it “contort into weird shapes” just to accommodate mentally lazy :) family members seems like a waste of time and resources.

    Why not do what I did with my in-laws? Just make their usernames and passwords the same as their first names, AND enable auto-login. They seem happy with that. Everyone knows their first name. And if they don’t, well… maybe they have bigger problems to deal with than a login screen? I’m just saying.

  8. shindig Says:

    “Why would anyone want to do this?”

    My son is 2, although he can navigate noggin.com or pbskids.org just fine he seem to get hung up on the password part of login or he could just be lazy.

  9. Chuck Says:

    We develop on ubuntu. We are on a secure network. Engineers look at passwords on development system to be a pain. Going from system to system to system changing code and running tests is much easier than loging in with a password. There is no reason to have a password because if the system gets screwed up I just rebuild it any way. I’m not saying this is a good idea but this is one reason to not have a password. On 5.01 there are three things to change in the pam conf file that makes all users passwordless. It works well for us. Thanks.

  10. Richard Says:

    Very useful trick, I’m the only one on our family pc with sudo privileges, and this way the other family members don’t need to remember passwords.
    Also, since sshd has ‘PermitEmptyPasswords’ set to ‘no’, it’s actually more secure than just giving them weak passwords.

    BTW: I found out it is indeed an encrypted empty string:
    richard:~$ mkpasswd –salt=’U6′ ”
    U6aMy0wojraho

  11. Dimas Says:

    http://lists.debian.org/debian-user/2005/11/msg00228.html

    You can delete the user’s password and change the following lines in /etc/pam.d/common-auth, changing:
    auth required pam_unix.so nullok_secure
    to:
    auth required pam_unix.so nullok

  12. Danny Says:

    Nice bit of open source reverse engineering ;)

  13. Fred Says:

    Whoever is in charge of PAM should stop trying to make it hard to do what people running systems actually want to do. And the reason we want to do what we want to do is really none of the business of the people who provide services. Security people in general should stop imagining that they know best. They don’t.

    Could the person in charge of PAM please remove all of the foolishness and allow people to set their password to nothing by simply pressing [enter] twice for their password? Or at least let root do this? What constitutes “secure” is a function of the system in its application, and not a function of some notional rule. Systems should be built to make it easy to do what the people running them want to do. Not hard to do something the programmer thinks the people running the system should not want to do.

    And then there is the issue of backward compatibility. Stop making changes that make things that use to work no longer work. At a minimum set the defaults to allow what used to work to work again.

    By the way, I have tried each and every one of the thinks identified here and all have failed. So my secure menu system that requires no login and my proxy servers that are based on the user identity without passwords, and all of the other things that worked before no longer work under the new security police state being created by the so-called security people trying to prevent use.

    The real goal is to facilitate use. Please remove the barriers to productivity and allow people running systems to do what they want to do with their systems.

  14. ubuntucat Says:

    I don’t know about the other links, but I just tried the last link (editing the /etc/shadow file) on Saucy (Ubuntu 13.10), and it works just fine.

Leave a Reply