Goal:
Maintaining a former colleagues system, I want to lock all password logins in order to only allow ssh key based logins.
Infos:
The CentOS 6.5 system does not offer any network based authentication features (no Kerberos, ldap, gssapi etc.,
/etc/nsswitch.confknows only "files")./etc/passwdshows all non-system users I expect.
Issue:
/etc/shadow shows only half of them. Locking their passwords with passwd -l username worked.
Now I would like to see entries for the other users as well and that their passwords are locked, too.
Trial:
did a passwd -l username for one of the "missing" users, and the system gives me passwd: Success . But I still see no entry for this user in shadow. Any ideas?
I think you should be able to disallow all password logins and allow only key based authentication on the system by setting the below configuration parameters in the global ssh configuration (usually in /etc/ssh/sshd_config) :
You will need to reload the sshd service after any change in the config file.
Test more
The definite test if OS doesn't know the data such as password hash, expiry, etc. is:
If OS can get that data by any means (ldap or something) there is a non-empty line of output:
If I use text editor to remove a line from
/etc/shadow, there is no output.Locking passwords
Your proposed password locking would work well whether there are shadow lines or not. Non-existing shadow line means a user cannot log in with a password.
Re-populating shadow
Former admins probably created some users by manually editing
/etc/passwd. It looks ugly but it's not an error; OS is designed to handle that. A quick method of re-populating shadow is to loop over all passwd entries these commands:This will create the missing
/etc/shadowlines as simplylogin:x::0:::::. The side effect is that all existing/etc/shadowlines will reset the "minimal number of days between consecutive password changes" to zero. But that's not an often used setting and you probably know if you need it (company policy, etc.).