3

I'd like to set up a user on my system (Ubuntu 14.04 x64) such that people can run ssh example@myhost.example.com and see some output from a program without being prompted for a password or having to have an ssh key. Here's what I have done so far:

  • created the example user with my program as it's shell via adduser example --shell /path/to/my/program
  • created an empty file at /home/example/.hushlogin to quiet the motd and other login messages

Things are working with the exception that I must complete the password prompt authentication challenge, which I'd like to bypass as this will be a publicly-available service.

Presumably customizing the PAM configuration under /etc/pam.d appropriately might do the trick but I need some guidance on the specifics. I want this change to only affect this specific user account, not every account on the system.

Peter Lyons
  • 283
  • 3
  • 12
  • Use ssh auth with keys. Commands are ssh-keygen and ssh-copy-id – Navern May 23 '15 at 22:34
  • 1
    I want this to be a publicly-available program without any authentication whatsoever. I'm not asking about using ssh keys instead of passwords. I'm asking about using neither. – Peter Lyons May 23 '15 at 22:38
  • 1
    Any particular reason you're using SSH instead of something that is designed for extending in this fashion, i.e. [SNMP](http://sysadvent.blogspot.com/2008/12/day-4-extending-net-snmps-snmpd.html)? A lot more can go wrong when a user is authenticated to a SSH subsystem compared to being shown the unauthenticated output of a command via SNMP. – Andrew B May 24 '15 at 09:26
  • Mostly because I need a reverse tunnel to have my program access hosts via the end user's system intermediary. I also want the encryption over the wire and the fact that my end users already have ssh clients installed on their systems. – Peter Lyons May 24 '15 at 16:10

1 Answers1

3

Set PermitEmptyPasswords yes in /etc/ssh/sshd_config, and then make sure the user account has no password.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • You can set this with Match User in /etc/ssh/sshd_config. – Navern May 23 '15 at 22:48
  • Is `passwd -d example` the right way to make sure the user account has no password? I tried your suggestion but I'm still getting prompted and just hitting ENTER does not get past the password prompt. – Peter Lyons May 23 '15 at 23:11
  • Thought about this some more and my line of thinking leads me to believe `PermitEmptyPasswords` would never bypass the password prompt. I don't believe sshd has any system API it can call to ask "is user1's password empty?". It can only ask the system "is this the correct password for user1?" I think `PermitEmptyPasswords` just controls whether sshd automatically reprompts on empty password input without even attempting authentication. – Peter Lyons May 24 '15 at 16:14