# Remove user password (to prevent ssh login using password).



## martin_ (Mar 2, 2013)

How to remove a user's password and thus block that user from logging in with ssh (I use a key to log in)? I tried it to be empty, but a funny thing happens - it lets me in with no password.


----------



## fonz (Mar 2, 2013)

martin_ said:
			
		

> How to remove user password and thus block user from log[red]g[/red]ing to [red]in with[/red] ssh (i[red]I[/red] use key to log in)?


Use vipw(8) to set the user's password to "*", as in this example:
	
	



```
fonz:[b][red]*[/red][/b]:1001:10000::0:0:A.J. "Fonz" van Werven:/home/fonz:/bin/tcsh
```



			
				martin_ said:
			
		

> I tried it to be empty, but funny thing happens - it lets me in with no password.


Of course it does. That's normal behaviour.


----------



## martin_ (Mar 2, 2013)

Thanks both fonz for perfect answer (it worked exactly like *I* expected) and DutchDaemon for perfect grammar (I am emulated speaker (non-native :stud), working on my English every day!).


----------



## fluca1978 (Mar 4, 2013)

Please consider that _OpenSSH_ has specific options for AllowUsers and DenyUsers.


----------



## fonz (Mar 4, 2013)

fluca1978 said:
			
		

> Please consider that _OpenSSH_ has specific options for AllowUsers and DenyUsers.


Also look at PasswordAuthentication and ChallengeResponseAuthentication, to be found in /etc/ssh/sshd_config and explained in the manpage sshd_config(5).


----------



## kpa (Mar 4, 2013)

The most safe option to disable an account is to use pw(8):

`# pw usermod name -h -`



> If a value of â€˜-â€™ is given as the argument fd, then the
> password will be set to â€˜*â€™, rendering the account inaccesâ€
> sible via password-based login.


----------



## fonz (Mar 4, 2013)

kpa said:
			
		

> `# pw usermod name -h -`


That essentially does the same as my vipw(8) solution except that it's a single command and therefore a bit less error-prone than editing /etc/master.passwd, provided that one can remember the exact pw(8) syntax, which many find challenging


----------



## kpa (Mar 4, 2013)

Remembering that a star in the password field represents a disabled account can be equally challenging


----------



## martin_ (Mar 5, 2013)

Thanks for detailed expertise. For me both answers are quite challenging, so all I will remember is that I asked this question here..


----------



## johnd (Mar 5, 2013)

Why not just use

`# pw lock name`
`# pw unlock name`

Very easy to remember.


----------



## fluca1978 (Mar 6, 2013)

johnd said:
			
		

> Why not just use
> 
> `# pw lock name`
> `# pw unlock name`
> ...



Not sure but the question was to prevent the user to log in via ssh, so I guess the account should not be locked at all. Anyway all this thread is full of a set of options that allows the author to do nearly everything he wants with the accout.


----------



## fonz (Mar 6, 2013)

fluca1978 said:
			
		

> Not sure but the question was to prevent the user to log in via ssh,


No, the question was to prevent the user from logging in using a password and to only allow logging in over SSH _using a keyfile_.


----------



## fluca1978 (Mar 6, 2013)

fonz said:
			
		

> No, the question was to prevent the user from logging in using a password and to only allow logging in over SSH _using a keyfile_.



Then locking the account is not the answer, tweaking the sshd_config is.
Again, the user now has enough information to do what he wants.


----------

