Ubuntu
adduser package

adduser --disabled-login still allows for SSH RSA keys login

Bug #1180553 reported by Rodney Beede on 2013-05-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	adduser (Ubuntu)	New	Undecided	Unassigned

Bug Description

adduser --disabled-login --gecos "" --shell /bin/bash testuser

I am not prompted for a password as expect, but if I create a .ssh/authorized_keys file (say it was in my /etc/skel/) in the home directory of the new user I can login as that user using SSH keys. The --disabled-password is meant for that.

I should not be able to login at all.

Ubuntu 13.04 64-bit Server edition.

The fix would be to also set the account to be immediately expired in the same manner as doing "usermod --expiredate 1" does in addition to marking the password disabled.

If this fix cannot be done then the man page for adduser should be updated to warn about this.

Revision history for this message

Rodney Beede (business2008+launchpad) wrote on 2013-05-15:

Corrected package

affects:

shadow (Ubuntu) → adduser (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuadduser package

adduser --disabled-login still allows for SSH RSA keys login

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
adduser package