Can a linux user change their password without knowing the current password?
I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.
However, the users should also have sudo privileges though, which by default requires a password.
If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?
ubuntu ssh users sudo password
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
add a comment |
I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.
However, the users should also have sudo privileges though, which by default requires a password.
If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?
ubuntu ssh users sudo password
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
3
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Goman sudoerswill yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.
– humanityANDpeace
Jan 8 '13 at 12:17
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group withNOPASSWD: ALLthat the team members are part of. If you can suggest a better solution please post it as an answer.
– cwd
Jan 9 '13 at 0:24
add a comment |
I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.
However, the users should also have sudo privileges though, which by default requires a password.
If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?
ubuntu ssh users sudo password
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.
However, the users should also have sudo privileges though, which by default requires a password.
If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?
ubuntu ssh users sudo password
ubuntu ssh users sudo password
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
asked Apr 30 '12 at 15:42
cwdcwd
14.1k53116157
14.1k53116157
3
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Goman sudoerswill yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.
– humanityANDpeace
Jan 8 '13 at 12:17
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group withNOPASSWD: ALLthat the team members are part of. If you can suggest a better solution please post it as an answer.
– cwd
Jan 9 '13 at 0:24
add a comment |
3
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Goman sudoerswill yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.
– humanityANDpeace
Jan 8 '13 at 12:17
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group withNOPASSWD: ALLthat the team members are part of. If you can suggest a better solution please post it as an answer.
– cwd
Jan 9 '13 at 0:24
3
3
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go
man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.– humanityANDpeace
Jan 8 '13 at 12:17
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go
man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.– humanityANDpeace
Jan 8 '13 at 12:17
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with
NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.– cwd
Jan 9 '13 at 0:24
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with
NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.– cwd
Jan 9 '13 at 0:24
add a comment |
5 Answers
5
active
oldest
votes
Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are sayingsudo passwdwould change the password for the current user, not for the sudo user?
– still_dreaming_1
Mar 28 '17 at 15:43
1
@still_dreaming_1 No, I'm saying that a user who can run commands withsudocan change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bobwherebobis the user's name, or something equivalent. With no argument,sudo passwdwould indeed change the password for root.
– Gilles
Mar 28 '17 at 20:47
add a comment |
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth (or include) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers (via visudo).
Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
add a comment |
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
It's not possible to dosudo -iwithout current user password.
– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still asudo bashcould be passwordless given that setup so in the/etc/sudoersfile. I think @jrg is as said more focusing on the insecurity issue with sudo here
– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to dosudo -i, you can jump straight tosudo passwd $username@Miro, you don't need to know the current user password. You only need to know the root password to use sudo
– Antony
Jan 6 '14 at 3:40
add a comment |
The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.
I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.
answered May 1 '12 at 19:04
amsams
4,38711123
add a comment |
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Hope that helps
answered Jan 27 '14 at 20:01
hardeephardeep
111
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37633%2fcan-a-linux-user-change-their-password-without-knowing-the-current-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are sayingsudo passwdwould change the password for the current user, not for the sudo user?
– still_dreaming_1
Mar 28 '17 at 15:43
1
@still_dreaming_1 No, I'm saying that a user who can run commands withsudocan change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bobwherebobis the user's name, or something equivalent. With no argument,sudo passwdwould indeed change the password for root.
– Gilles
Mar 28 '17 at 20:47
add a comment |
Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are sayingsudo passwdwould change the password for the current user, not for the sudo user?
– still_dreaming_1
Mar 28 '17 at 15:43
1
@still_dreaming_1 No, I'm saying that a user who can run commands withsudocan change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bobwherebobis the user's name, or something equivalent. With no argument,sudo passwdwould indeed change the password for root.
– Gilles
Mar 28 '17 at 20:47
add a comment |
Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
edited Mar 28 '17 at 20:45
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
answered May 1 '12 at 1:15
GillesGilles
544k12811071622
544k12811071622
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are sayingsudo passwdwould change the password for the current user, not for the sudo user?
– still_dreaming_1
Mar 28 '17 at 15:43
1
@still_dreaming_1 No, I'm saying that a user who can run commands withsudocan change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bobwherebobis the user's name, or something equivalent. With no argument,sudo passwdwould indeed change the password for root.
– Gilles
Mar 28 '17 at 20:47
add a comment |
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are sayingsudo passwdwould change the password for the current user, not for the sudo user?
– still_dreaming_1
Mar 28 '17 at 15:43
1
@still_dreaming_1 No, I'm saying that a user who can run commands withsudocan change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bobwherebobis the user's name, or something equivalent. With no argument,sudo passwdwould indeed change the password for root.
– Gilles
Mar 28 '17 at 20:47
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
– Tobias Kienzler
Oct 23 '14 at 19:19
so you are saying
sudo passwd would change the password for the current user, not for the sudo user?– still_dreaming_1
Mar 28 '17 at 15:43
so you are saying
sudo passwd would change the password for the current user, not for the sudo user?– still_dreaming_1
Mar 28 '17 at 15:43
1
1
@still_dreaming_1 No, I'm saying that a user who can run commands with
sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.– Gilles
Mar 28 '17 at 20:47
@still_dreaming_1 No, I'm saying that a user who can run commands with
sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.– Gilles
Mar 28 '17 at 20:47
add a comment |
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth (or include) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers (via visudo).
Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
add a comment |
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth (or include) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers (via visudo).
Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
add a comment |
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth (or include) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers (via visudo).
Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth (or include) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers (via visudo).
Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
answered Jan 8 '13 at 9:41
Tobias KienzlerTobias Kienzler
4,404104690
4,404104690
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
add a comment |
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
– Tobias Kienzler
Jan 8 '13 at 9:43
add a comment |
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
It's not possible to dosudo -iwithout current user password.
– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still asudo bashcould be passwordless given that setup so in the/etc/sudoersfile. I think @jrg is as said more focusing on the insecurity issue with sudo here
– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to dosudo -i, you can jump straight tosudo passwd $username@Miro, you don't need to know the current user password. You only need to know the root password to use sudo
– Antony
Jan 6 '14 at 3:40
add a comment |
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
It's not possible to dosudo -iwithout current user password.
– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still asudo bashcould be passwordless given that setup so in the/etc/sudoersfile. I think @jrg is as said more focusing on the insecurity issue with sudo here
– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to dosudo -i, you can jump straight tosudo passwd $username@Miro, you don't need to know the current user password. You only need to know the root password to use sudo
– Antony
Jan 6 '14 at 3:40
add a comment |
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
edited May 1 '12 at 11:26
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
answered Apr 30 '12 at 16:08
jrgjrg
2,14321515
2,14321515
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
It's not possible to dosudo -iwithout current user password.
– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still asudo bashcould be passwordless given that setup so in the/etc/sudoersfile. I think @jrg is as said more focusing on the insecurity issue with sudo here
– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to dosudo -i, you can jump straight tosudo passwd $username@Miro, you don't need to know the current user password. You only need to know the root password to use sudo
– Antony
Jan 6 '14 at 3:40
add a comment |
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
It's not possible to dosudo -iwithout current user password.
– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still asudo bashcould be passwordless given that setup so in the/etc/sudoersfile. I think @jrg is as said more focusing on the insecurity issue with sudo here
– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to dosudo -i, you can jump straight tosudo passwd $username@Miro, you don't need to know the current user password. You only need to know the root password to use sudo
– Antony
Jan 6 '14 at 3:40
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
looks good but can you elaborate on what's going on here?
– cwd
Apr 30 '12 at 22:27
3
3
It's not possible to do
sudo -i without current user password.– kravemir
May 1 '12 at 19:51
It's not possible to do
sudo -i without current user password.– kravemir
May 1 '12 at 19:51
@Miro. It is as you say. Still a
sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here– humanityANDpeace
Jan 8 '13 at 12:19
@Miro. It is as you say. Still a
sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here– humanityANDpeace
Jan 8 '13 at 12:19
honestly, you don't have to do
sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo– Antony
Jan 6 '14 at 3:40
honestly, you don't have to do
sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo– Antony
Jan 6 '14 at 3:40
add a comment |
The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.
I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.
answered May 1 '12 at 19:04
amsams
4,38711123
add a comment |
The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.
I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.
answered May 1 '12 at 19:04
amsams
4,38711123
add a comment |
The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.
I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.
answered May 1 '12 at 19:04
amsams
4,38711123
The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.
I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.
answered May 1 '12 at 19:04
amsams
4,38711123
answered May 1 '12 at 19:04
amsams
4,38711123
answered May 1 '12 at 19:04
amsams
4,38711123
answered May 1 '12 at 19:04
amsams
4,38711123
4,38711123
add a comment |
add a comment |
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Hope that helps
answered Jan 27 '14 at 20:01
hardeephardeep
111
add a comment |
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Hope that helps
answered Jan 27 '14 at 20:01
hardeephardeep
111
add a comment |
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Hope that helps
answered Jan 27 '14 at 20:01
hardeephardeep
111
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Hope that helps
answered Jan 27 '14 at 20:01
hardeephardeep
111
edited Feb 3 '14 at 17:59
answered Jan 27 '14 at 20:01
hardeephardeep
111
answered Jan 27 '14 at 20:01
hardeephardeep
111
answered Jan 27 '14 at 20:01
hardeephardeep
111
111
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37633%2fcan-a-linux-user-change-their-password-without-knowing-the-current-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
How about public-key sudo? (related NYCBUG mailing list thread)
– sr_
Apr 30 '12 at 15:57
@sr - doesn't look like this is a mainstream way of doing it...
– cwd
Apr 30 '12 at 22:26
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go
man sudoerswill yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.– humanityANDpeace
Jan 8 '13 at 12:17
@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with
NOPASSWD: ALLthat the team members are part of. If you can suggest a better solution please post it as an answer.– cwd
Jan 9 '13 at 0:24