We help IT Professionals succeed at work.

How to ssh PAM authentication with any login info?

Balbir Singh
Balbir Singh asked
on
I am trying to configure that using ssh any use should be able to login to my server, with or without password ( preferable ). I played with nullok which doesn't require a user to enter the password but I have to create a user and let that user have 'empty password' I am wonder if there is any other way so that any with with empty password should be allowed to login.
Comment
Watch Question

Never use empty passwords.  You should use ssh keys.
the pam_permit modules allow to let anyone access w/o passwords

that said, i see no reason why anybody in his right mind would want to do that
Fractional CTO
Distinguished Expert 2019
Commented:
1) To log into servers with no password (like CRON backups) is an essential part of admin. The way you do this is by creating empty passprase keys to use. For example...

ssh-keygen -q -N '' -b 2048 -t rsa -f ~/.ssh/backup.rsa -C 'Backup Key'

Open in new window


2) Be careful with empty passphrase keys, as once someone has the private key, they can login anywhere. So never deploy your private key anywhere, ever.

3) Best practice when using an empty passphrase key, is to limit the connection to only allowing the rsync command to run. In other words, the key can be used for rsync, then blocked for all other commands, like ssh/sftp.

https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/ provides a good overview of how to do this.

Fairly simple ~/.ssh/authorized_keys modification to the key entry.
... and note that using ssh keys does not require messy and otherwise dangerous pam configurations
David FavorFractional CTO
Distinguished Expert 2019

Commented:
As skullnobrains suggested, messing around with PAM can cause large time drains + open security holes.

Generally I just prefer disabling PAM + sticking with SSH keys.