57

I am running slitaz distro, and would like to completely remove the root password. I have tried giving a blank password to the passwd command, however that did not seem to do the trick. It gave me an error password was too short, ans it still asked me for a password when I ssh-ed in. The password was just hiting the "Enter" key.

UPDATE:
Perhaps it has to do with the fact that slitaz uses dropbear for ssh? Because even with a blank password for root in /etc/shadow, it still prompts for a password.

Plazgoth
  • 1,242
  • 1
  • 12
  • 22
  • See http://unix.stackexchange.com/questions/7283/how-can-i-make-a-user-able-to-log-in-with-ssh-keys-but-not-with-a-password – Dmitry Pashkevich Dec 11 '13 at 19:53
  • What you're trying to do is "set a blank password", not "remove the root password". Removing the root password implies that it has no password, rather than having a blank one. – WhyNotHugo Nov 13 '20 at 12:17

1 Answers1

95

Do you really want to allow logins without a password? If so, try passwd -d root (see warnings below)

● Do you really want to have an empty password? echo root: | chpasswd or, if that is rejected, echo "root:$(mkpasswd -s </dev/null)" | chpasswd -e (see warnings below)

● For those coming here in search of a way to block password login for root, you have options:

  1. passwd -l root disables (locks), passwd -u root re-enables (unlocks) the root password.
  2. sshd option PasswordAuthentication no disables password authentification for all users (via ssh)
  3. sshd option PermitRootLogin no disables root login (via ssh)
  4. sshd option PermitRootLogin prohibit-password disables root login with password (via ssh)

Notes and warnings:

  • ⚠️ Make sure you have a way to log in even if you accidentally lock your password. For example, a second user with full sudo access. (If you try to configure no / an insecure password, your system might actually lock you out.)
  • passwd -d root can allow for root login without password!
  • ⚠️ this is a terrible idea on systems connected to the internet. Don't do it except in an isolated host or network. An empty password is arguably worse.
  • that's why your system setup might still disallow logins without password (or with empty password) if you remove the password (or set it to the empty string). Especially via SSH.
  • SSH with public keys, and something ssh-agent is the way to go if you want the convenience of not repeatedly entering your password
  • SSH with public keys, and an unencrypted private key is the way to go if you want to run commands from remote scripts. There is a PermitRootLogin forced-commands-only sshd option; when set the remote script can only trigger specific commands that you need to configure on the server.

Usually, passwords are usually saved in salted&hashed form in /etc/shadow. For more information, read the manpage with man shadow 5. Authentication can be blocked in the configuration of the SSH server (see man sshd_config) or in the OS's authentification system (see "PAM" - Linux Pluggable Authentication Modules).

tiwo
  • 3,238
  • 1
  • 20
  • 33
  • 40
    I can't resist the urge to add that having a passwordless root login is in most (all?) cases a bad idea. – InternetSeriousBusiness Jul 28 '12 at 11:58
  • 1
    Nope that did not work on my system. This is what I turned up as well from Google. However it still asks for a password – Plazgoth Jul 28 '12 at 11:58
  • Does `passwd -d root` give any error? What's in your `/etc/shadow`? – tiwo Jul 28 '12 at 12:02
  • no errors. It does what it is supposed to, the /etc/shadow is correct `root::13525:0:99999:7:::` – Plazgoth Jul 28 '12 at 12:04
  • 6
    Then you may have an issue with your SSH config: See the [sshd_config(5) manpage](http://unixhelp.ed.ac.uk/CGI/man-cgi?sshd_config+5), esp. `PermitEmptyPasswords`, `PermitRootLogin`. – tiwo Jul 28 '12 at 12:07
  • Would this work if you have an shadow file in both /dev/sda3 and /dev/sdb3? – Jeff Apr 10 '14 at 20:59
  • 72
    More likely, rather than having the password for root simply be blank, you'd like to lock the password so that it won't match any input. `passwd --lock root` or `passwd -l root` – MeatFlavourDev Jul 21 '15 at 15:19
  • 4
    What @JeremyFelix said is precisely what I needed; that should have been the answer! – ELLIOTTCABLE May 05 '16 at 04:38
  • 5
    @InternetSeriousBusiness You seem to forget to mention *why* is empty root password a problem. Some time ago I realized that you can `su` from ordinary user account without a password which is a privilege escalation that turns an application exploit into a system exploit. – Pavel Šimerda Feb 11 '17 at 12:31
  • I misunderstood this question and answer, and ran this on a public server. I thought it was removing the *option* of a password, as in "removing the ability to login via password". Luckily I had nothing on the server! – DanRedux Jul 06 '18 at 04:01
  • Doesn't empty password allow anyone to login without a password or key? I recall using a boot CD to rescue a system I forgot the password to. I was able to temporarily login from the console by entering nothing as the password. – user324747 Apr 10 '20 at 22:19