Creating a Passwordless Account in Ubuntu
July 31st, 2007
For years, people have been asking how to create a guest account with no password in Ubuntu. Usually, someone replies that this a security risk and warns against proceeding. Then some other people recognize it as a security risk but still try to help the person… to no avail. The most commonly suggested “solution” is sudo passwd -d username, which is supposed to delete the password for username, at least according to man passwd:
-d, –delete
Delete a user’s password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless.
It does not work on Ubuntu, though.
A year and a half ago, someone created what I view as being a fairly complex workaround editing the PAM config and maintaining a separate text file listing users who are allowed a passwordless login. I’m not sure if that works or not, but the most straightforward way I could think to do this is copy what was done on the Ubuntu live CD. After all, on the Ubuntu live CD (also known as the Desktop CD), the username is ubuntu, but you’re not required to enter a password—you can just press Enter for the password and log in.
So I looked at the /etc/shadow file, which holds encrypted passwords for all users, on the live CD and found that the encrypted password for the user ubuntu is U6aMy0wojraho. So I tried editing the /etc/shadow file on my own installation of Ubuntu and changing the password for a test user from its previous encrypted password to U6aMy0wojraho, and I was able to log in as that user without entering a password.
You can find my new HowTo in the Tutorials and Tips section of the Ubuntu Forums.
August 1st, 2007 at 04:03
Very Clever… Wouldn’t have thought about it myself.
August 1st, 2007 at 05:25
I hadn’t thought of it for a while, and then I saw a thread in which someone claimed to be prompted for a username and password on the live CD.
That made me search for the live CD password, and through my research I found out the password didn’t exist, so I got curious. If it’s blank, what’s in the /etc/shadow file, then?
August 12th, 2007 at 21:03
Is this different from going into System/Admin/Login and enabling the Auto-Login feature? That’s what I use. It logs me in without asking for a password, but I DO have a password for any sudo operations that are required.
So much better than the stupid UAC in Vista – you don’t need a password for that, you just have to click “Allow”.
And while I’m on the subject, I love that Ubuntu assumes that you’re authorised for a certain amount of time after the first password challenge. Anyone who’s had to enable/disabled network cards in Vista is tearing their hair out at the endless UAC prompts while doing so…
August 12th, 2007 at 23:56
Yes, this is completely different from autologin.
For autologin, you have to pick a particular account that will log in after a certain time, and that account does have a password… you just don’t have to enter the password.
For this tutorial, you’re actually creating a separate account that doesn’t autologin and it has no password. People often request this for family members who do not want to be bothered with remembering a password… or for guests to the family computer. They do not want an autologin because they have several accounts.
August 23rd, 2007 at 19:43
Funny, I just set up a guest account on my Kubuntu machine and had the same problem. (“sudo passwd -d guest” didn’t let “guest” log in without a password, but instead prompted an error.)
Luckily, KDM (Kubuntu’s login GUI) has a setting that allows you to specify which users can log in without typing in their password. So what I did was make a password for the guest account, but in the Login Manager under “Convenience” I allowed “guest” to log in without it. Perhaps GDM has a similar setting? If not, it may be possible to use KDM with Gnome without installing KDE… I’m not sure.
However, I must admit that the whole /etc/shadow U6aMy0wojraho thing is very clever. I wonder what password they encrypted to get that?
October 24th, 2007 at 04:00
> U6aMy0wojraho thing is very clever.
> I wonder what password they encrypted to get that?
Probably ‘password’ :-)
July 4th, 2008 at 20:14
I guess for me, the main question would be: “WHY”? As in, “Why would anyone want to do this?” Linux was meant to be a secure O/S. Trying to make it “contort into weird shapes” just to accommodate mentally lazy :) family members seems like a waste of time and resources.
Why not do what I did with my in-laws? Just make their usernames and passwords the same as their first names, AND enable auto-login. They seem happy with that. Everyone knows their first name. And if they don’t, well… maybe they have bigger problems to deal with than a login screen? I’m just saying.
July 19th, 2008 at 21:07
“Why would anyone want to do this?”
My son is 2, although he can navigate noggin.com or pbskids.org just fine he seem to get hung up on the password part of login or he could just be lazy.
August 15th, 2008 at 12:15
We develop on ubuntu. We are on a secure network. Engineers look at passwords on development system to be a pain. Going from system to system to system changing code and running tests is much easier than loging in with a password. There is no reason to have a password because if the system gets screwed up I just rebuild it any way. I’m not saying this is a good idea but this is one reason to not have a password. On 5.01 there are three things to change in the pam conf file that makes all users passwordless. It works well for us. Thanks.
January 21st, 2009 at 14:07
Very useful trick, I’m the only one on our family pc with sudo privileges, and this way the other family members don’t need to remember passwords.
Also, since sshd has ‘PermitEmptyPasswords’ set to ‘no’, it’s actually more secure than just giving them weak passwords.
BTW: I found out it is indeed an encrypted empty string:
richard:~$ mkpasswd –salt=’U6′ ”
U6aMy0wojraho
March 16th, 2009 at 06:23
http://lists.debian.org/debian-user/2005/11/msg00228.html
You can delete the user’s password and change the following lines in /etc/pam.d/common-auth, changing:
auth required pam_unix.so nullok_secure
to:
auth required pam_unix.so nullok
April 17th, 2009 at 18:49
Nice bit of open source reverse engineering ;)