[Adduser-devel] Bug#625758: 'adduser --disabled-login' does not behave as documented.

Matthew Woodcraft matthew at woodcraft.me.uk
Thu May 5 17:56:37 UTC 2011

Package: adduser
Version: 3.112+nmu2
Severity: normal

The adduser manpage in squeeze contains the following:

          Do  not  run passwd to set the password.  The user won't be able
          to use her account until the password is set.

          Like --disabled-login, but logins are still possible (for  exam‐
          ple using SSH RSA keys) but not using password authentication.

Similar text has been there for many years, but it hasn't really been
true in Debian since whenever 'UsePAM yes' became the default in
sshd_config: an account created using --disabled-login can still be used
to log in using public-key authentication without a password being set.

I think either the adduser manpage should be changed to not imply that
disabled-login will prevent SSH public-key logins, or else adduser
--disabled-login should be changed to do the equivalent of 'chage -E 1'.

Versions of packages adduser depends on:
ii  debconf [de                     Debian configuration management sy
ii  passwd      1: change and administer password and
ii  perl-base   5.10.1-17                    minimal Perl system

More information about the Adduser-devel mailing list