Return to Question

I'm ready to improve structure of the question if it helps.

More ideas after reading the first answers

Just an idea – the local root access could be achieved by starting root shells instead of login processes. But there's still the need to lock only password authentication, not public key authentication.

I must admit that I like servers without passwords in some cases. A typical server is vulnerable to anyone who has physical access to it. So in some cases it is practical to lock it physically and since then trust any physical access.

Basic concepts

In theory, when I physically reach such a server, I should be able to perform administration tasks without password by simply typing root as the login and I shouldn't be asked for a password. The same may apply to user accounts but one would not really access them physically. Therefore no system passwords are needed for (occasional) local access.

When accessing the server remotely, either for administration, or for user account, I expect to always use an SSH private key. It is very easy to set up an SSH key for a just created account and thus no system passwords are needed for (regular) remote access.

# user=... # # useradd -m "$user" # sudo -i -u "$user" $ keyurl=... $ $ mkdir -p .ssh $ curl -o .ssh/authorized_keys "$keyurl" 

The conclusion is that, in theory, we wouldn't neeed any system passwords for use cases like that. So the question is, how do we configure the system and user accounts to make it happen in a consistent and secure way.

Local access details

How do we ensure the root account can be accessed locally without a password? I don't think we can use passwd -d as that will make root access too permissive and an unpriviliged user could switch to root for free, which is wrong. We cannot use passwd -l as it prevents us from logging in.

Update: Note that local access is exclusively about access using the local keyboard. Therefore a valid solution must not allow any user switching (whether using su or sudo).

Remote access details

Until recently the above solution would work but now SSH started to check for locked user accounts. We cannot probably use passwd -d for the same reasons. We cannot use passwd -u as it just complains that it would lead to what passwd -d does.

There's a workaround with dummy password for this part.

user=... echo -ne "$user:`pwgen 16`\n" | chpasswd 

It might also be possible to turn off locked account checking in SSH entirely but it would be nicer to retain the support of locked accounts and just be able to unlock them.

Final notes

What I'm interested in is a solution that would allow you to log in to the root account locally and all accounts including root remotely, without any passwords. I'm ready to improve structure of the question if it helps.

I must admit that I like servers without passwords in some cases. A typical server is vulnerable to anyone who has physical access to it. So in some cases it is practical to lock it physically and since then trust any physical access.

Basic concepts

In theory, when I physically reach such a server, I should be able to perform administration tasks without password by simply typing root as the login and I shouldn't be asked for a password. The same may apply to user accounts but one would not really access them physically. Therefore no system passwords are needed for (occasional) local access.

When accessing the server remotely, either for administration, or for user account, I expect to always use an SSH private key. It is very easy to set up an SSH key for a just created account and thus no system passwords are needed for (regular) remote access.

# user=... # # useradd -m "$user" # sudo -i -u "$user" $ keyurl=... $ $ mkdir -p .ssh $ curl -o .ssh/authorized_keys "$keyurl" 

The conclusion is that, in theory, we wouldn't neeed any system passwords for use cases like that. So the question is, how do we configure the system and user accounts to make it happen in a consistent and secure way.

Local access details

How do we ensure the root account can be accessed locally without a password? I don't think we can use passwd -d as that will make root access too permissive and an unpriviliged user could switch to root for free, which is wrong. We cannot use passwd -l as it prevents us from logging in.

Note that local access is exclusively about access using the local keyboard. Therefore a valid solution must not allow any user switching (whether using su or sudo).

Remote access details

Until recently the above solution would work but now SSH started to check for locked user accounts. We cannot probably use passwd -d for the same reasons. We cannot use passwd -u as it just complains that it would lead to what passwd -d does.

There's a workaround with dummy password for this part.

user=... echo -ne "$user:`pwgen 16`\n" | chpasswd 

It might also be possible to turn off locked account checking in SSH entirely but it would be nicer to retain the support of locked accounts and just be able to unlock them.

Final notes

What I'm interested in is a solution that would allow you to log in to the root account locally and all accounts including root remotely, without any passwords. On the other hand, a solution must not impact security except in explicitly described ways, especially not by allowing remote users to get access to the root account or other users' account. The solution should be sufficiently robust so that it doesn't cause security issues indirectly.

An accepted and awarded answer may or may not describe detailed configuration of individual tools but must contain the key points to reach the stated goals. Note that this probably cannot be solved through conventional use of tools like passwd, ssh, su, sudo and the like.

I'm ready to improve structure of the question if it helps.