Can a linux user change their password without knowing the current password?












19















I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.



However, the users should also have sudo privileges though, which by default requires a password.



If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?










share|improve this question


















  • 3





    How about public-key sudo? (related NYCBUG mailing list thread)

    – sr_
    Apr 30 '12 at 15:57











  • @sr - doesn't look like this is a mainstream way of doing it...

    – cwd
    Apr 30 '12 at 22:26











  • Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

    – humanityANDpeace
    Jan 8 '13 at 12:17











  • @humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

    – cwd
    Jan 9 '13 at 0:24
















19















I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.



However, the users should also have sudo privileges though, which by default requires a password.



If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?










share|improve this question


















  • 3





    How about public-key sudo? (related NYCBUG mailing list thread)

    – sr_
    Apr 30 '12 at 15:57











  • @sr - doesn't look like this is a mainstream way of doing it...

    – cwd
    Apr 30 '12 at 22:26











  • Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

    – humanityANDpeace
    Jan 8 '13 at 12:17











  • @humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

    – cwd
    Jan 9 '13 at 0:24














19












19








19


4






I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.



However, the users should also have sudo privileges though, which by default requires a password.



If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?










share|improve this question














I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.



However, the users should also have sudo privileges though, which by default requires a password.



If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?







ubuntu ssh users sudo password






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 30 '12 at 15:42









cwdcwd

14.1k53116157




14.1k53116157








  • 3





    How about public-key sudo? (related NYCBUG mailing list thread)

    – sr_
    Apr 30 '12 at 15:57











  • @sr - doesn't look like this is a mainstream way of doing it...

    – cwd
    Apr 30 '12 at 22:26











  • Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

    – humanityANDpeace
    Jan 8 '13 at 12:17











  • @humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

    – cwd
    Jan 9 '13 at 0:24














  • 3





    How about public-key sudo? (related NYCBUG mailing list thread)

    – sr_
    Apr 30 '12 at 15:57











  • @sr - doesn't look like this is a mainstream way of doing it...

    – cwd
    Apr 30 '12 at 22:26











  • Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

    – humanityANDpeace
    Jan 8 '13 at 12:17











  • @humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

    – cwd
    Jan 9 '13 at 0:24








3




3





How about public-key sudo? (related NYCBUG mailing list thread)

– sr_
Apr 30 '12 at 15:57





How about public-key sudo? (related NYCBUG mailing list thread)

– sr_
Apr 30 '12 at 15:57













@sr - doesn't look like this is a mainstream way of doing it...

– cwd
Apr 30 '12 at 22:26





@sr - doesn't look like this is a mainstream way of doing it...

– cwd
Apr 30 '12 at 22:26













Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

– humanityANDpeace
Jan 8 '13 at 12:17





Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password.

– humanityANDpeace
Jan 8 '13 at 12:17













@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

– cwd
Jan 9 '13 at 0:24





@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.

– cwd
Jan 9 '13 at 0:24










5 Answers
5






active

oldest

votes


















18














Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.



In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.



A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.



You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.



You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.






share|improve this answer


























  • one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

    – Tobias Kienzler
    Oct 23 '14 at 19:19













  • so you are saying sudo passwd would change the password for the current user, not for the sudo user?

    – still_dreaming_1
    Mar 28 '17 at 15:43






  • 1





    @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

    – Gilles
    Mar 28 '17 at 20:47



















7














You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry



auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys


before the other auth (or include) entries in /etc/pam.d/sudo



and



Defaults    env_keep += "SSH_AUTH_SOCK"


to /etc/sudoers (via visudo).



Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.






share|improve this answer
























  • On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

    – Tobias Kienzler
    Jan 8 '13 at 9:43



















0














Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.



Basically, you do the following:



$ sudo -i



Now, we are root. We have access to everything.



# passwd $username



$username can be anyone's username.




Enter new UNIX password:



Retype new UNIX password:
passwd: password updated successfully




Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.






share|improve this answer


























  • looks good but can you elaborate on what's going on here?

    – cwd
    Apr 30 '12 at 22:27






  • 3





    It's not possible to do sudo -i without current user password.

    – kravemir
    May 1 '12 at 19:51











  • @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

    – humanityANDpeace
    Jan 8 '13 at 12:19











  • honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

    – Antony
    Jan 6 '14 at 3:40





















0














The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.



I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.






share|improve this answer































    0














    #% useradd -g somegroup someuser
    #% usermod -p "" someuser
    #% chage -d 0 someuser
    #% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
    #% /sbin/service sshd restart
    #% cp -r ~/.ssh `echo ~someuser`
    #% chown -R someuser `echo ~someuser`/.ssh
    #% chgrp -R somegroup `echo ~someuser`/.ssh
    #% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers


    >
    This should allow you to have users who can login only using public keys and can not
    use passwords for login. However he will be forced to change the password the first time he
    logs in...but without having to tell him somedummy password up front...The users will be
    simply asked to reset the password and subsequently they can use it only for sudo
    but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.



    Hope that helps






    share|improve this answer


























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37633%2fcan-a-linux-user-change-their-password-without-knowing-the-current-password%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      18














      Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.



      In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.



      A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.



      You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.



      You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.






      share|improve this answer


























      • one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

        – Tobias Kienzler
        Oct 23 '14 at 19:19













      • so you are saying sudo passwd would change the password for the current user, not for the sudo user?

        – still_dreaming_1
        Mar 28 '17 at 15:43






      • 1





        @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

        – Gilles
        Mar 28 '17 at 20:47
















      18














      Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.



      In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.



      A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.



      You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.



      You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.






      share|improve this answer


























      • one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

        – Tobias Kienzler
        Oct 23 '14 at 19:19













      • so you are saying sudo passwd would change the password for the current user, not for the sudo user?

        – still_dreaming_1
        Mar 28 '17 at 15:43






      • 1





        @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

        – Gilles
        Mar 28 '17 at 20:47














      18












      18








      18







      Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.



      In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.



      A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.



      You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.



      You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.






      share|improve this answer















      Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.



      In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.



      A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.



      You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.



      You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Mar 28 '17 at 20:45

























      answered May 1 '12 at 1:15









      GillesGilles

      544k12811071622




      544k12811071622













      • one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

        – Tobias Kienzler
        Oct 23 '14 at 19:19













      • so you are saying sudo passwd would change the password for the current user, not for the sudo user?

        – still_dreaming_1
        Mar 28 '17 at 15:43






      • 1





        @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

        – Gilles
        Mar 28 '17 at 20:47



















      • one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

        – Tobias Kienzler
        Oct 23 '14 at 19:19













      • so you are saying sudo passwd would change the password for the current user, not for the sudo user?

        – still_dreaming_1
        Mar 28 '17 at 15:43






      • 1





        @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

        – Gilles
        Mar 28 '17 at 20:47

















      one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

      – Tobias Kienzler
      Oct 23 '14 at 19:19







      one convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway

      – Tobias Kienzler
      Oct 23 '14 at 19:19















      so you are saying sudo passwd would change the password for the current user, not for the sudo user?

      – still_dreaming_1
      Mar 28 '17 at 15:43





      so you are saying sudo passwd would change the password for the current user, not for the sudo user?

      – still_dreaming_1
      Mar 28 '17 at 15:43




      1




      1





      @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

      – Gilles
      Mar 28 '17 at 20:47





      @still_dreaming_1 No, I'm saying that a user who can run commands with sudo can change their own password. The exact command doesn't really matter, but to go into more detail, it would be sudo passwd bob where bob is the user's name, or something equivalent. With no argument, sudo passwd would indeed change the password for root.

      – Gilles
      Mar 28 '17 at 20:47













      7














      You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry



      auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys


      before the other auth (or include) entries in /etc/pam.d/sudo



      and



      Defaults    env_keep += "SSH_AUTH_SOCK"


      to /etc/sudoers (via visudo).



      Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.






      share|improve this answer
























      • On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

        – Tobias Kienzler
        Jan 8 '13 at 9:43
















      7














      You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry



      auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys


      before the other auth (or include) entries in /etc/pam.d/sudo



      and



      Defaults    env_keep += "SSH_AUTH_SOCK"


      to /etc/sudoers (via visudo).



      Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.






      share|improve this answer
























      • On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

        – Tobias Kienzler
        Jan 8 '13 at 9:43














      7












      7








      7







      You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry



      auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys


      before the other auth (or include) entries in /etc/pam.d/sudo



      and



      Defaults    env_keep += "SSH_AUTH_SOCK"


      to /etc/sudoers (via visudo).



      Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.






      share|improve this answer













      You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry



      auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys


      before the other auth (or include) entries in /etc/pam.d/sudo



      and



      Defaults    env_keep += "SSH_AUTH_SOCK"


      to /etc/sudoers (via visudo).



      Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 8 '13 at 9:41









      Tobias KienzlerTobias Kienzler

      4,404104690




      4,404104690













      • On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

        – Tobias Kienzler
        Jan 8 '13 at 9:43



















      • On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

        – Tobias Kienzler
        Jan 8 '13 at 9:43

















      On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

      – Tobias Kienzler
      Jan 8 '13 at 9:43





      On a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.

      – Tobias Kienzler
      Jan 8 '13 at 9:43











      0














      Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.



      Basically, you do the following:



      $ sudo -i



      Now, we are root. We have access to everything.



      # passwd $username



      $username can be anyone's username.




      Enter new UNIX password:



      Retype new UNIX password:
      passwd: password updated successfully




      Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.






      share|improve this answer


























      • looks good but can you elaborate on what's going on here?

        – cwd
        Apr 30 '12 at 22:27






      • 3





        It's not possible to do sudo -i without current user password.

        – kravemir
        May 1 '12 at 19:51











      • @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

        – humanityANDpeace
        Jan 8 '13 at 12:19











      • honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

        – Antony
        Jan 6 '14 at 3:40


















      0














      Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.



      Basically, you do the following:



      $ sudo -i



      Now, we are root. We have access to everything.



      # passwd $username



      $username can be anyone's username.




      Enter new UNIX password:



      Retype new UNIX password:
      passwd: password updated successfully




      Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.






      share|improve this answer


























      • looks good but can you elaborate on what's going on here?

        – cwd
        Apr 30 '12 at 22:27






      • 3





        It's not possible to do sudo -i without current user password.

        – kravemir
        May 1 '12 at 19:51











      • @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

        – humanityANDpeace
        Jan 8 '13 at 12:19











      • honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

        – Antony
        Jan 6 '14 at 3:40
















      0












      0








      0







      Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.



      Basically, you do the following:



      $ sudo -i



      Now, we are root. We have access to everything.



      # passwd $username



      $username can be anyone's username.




      Enter new UNIX password:



      Retype new UNIX password:
      passwd: password updated successfully




      Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.






      share|improve this answer















      Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.



      Basically, you do the following:



      $ sudo -i



      Now, we are root. We have access to everything.



      # passwd $username



      $username can be anyone's username.




      Enter new UNIX password:



      Retype new UNIX password:
      passwd: password updated successfully




      Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited May 1 '12 at 11:26

























      answered Apr 30 '12 at 16:08









      jrgjrg

      2,14321515




      2,14321515













      • looks good but can you elaborate on what's going on here?

        – cwd
        Apr 30 '12 at 22:27






      • 3





        It's not possible to do sudo -i without current user password.

        – kravemir
        May 1 '12 at 19:51











      • @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

        – humanityANDpeace
        Jan 8 '13 at 12:19











      • honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

        – Antony
        Jan 6 '14 at 3:40





















      • looks good but can you elaborate on what's going on here?

        – cwd
        Apr 30 '12 at 22:27






      • 3





        It's not possible to do sudo -i without current user password.

        – kravemir
        May 1 '12 at 19:51











      • @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

        – humanityANDpeace
        Jan 8 '13 at 12:19











      • honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

        – Antony
        Jan 6 '14 at 3:40



















      looks good but can you elaborate on what's going on here?

      – cwd
      Apr 30 '12 at 22:27





      looks good but can you elaborate on what's going on here?

      – cwd
      Apr 30 '12 at 22:27




      3




      3





      It's not possible to do sudo -i without current user password.

      – kravemir
      May 1 '12 at 19:51





      It's not possible to do sudo -i without current user password.

      – kravemir
      May 1 '12 at 19:51













      @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

      – humanityANDpeace
      Jan 8 '13 at 12:19





      @Miro. It is as you say. Still a sudo bash could be passwordless given that setup so in the /etc/sudoers file. I think @jrg is as said more focusing on the insecurity issue with sudo here

      – humanityANDpeace
      Jan 8 '13 at 12:19













      honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

      – Antony
      Jan 6 '14 at 3:40







      honestly, you don't have to do sudo -i, you can jump straight to sudo passwd $username @Miro, you don't need to know the current user password. You only need to know the root password to use sudo

      – Antony
      Jan 6 '14 at 3:40













      0














      The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.



      I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.






      share|improve this answer




























        0














        The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.



        I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.






        share|improve this answer


























          0












          0








          0







          The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.



          I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.






          share|improve this answer













          The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.



          I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 1 '12 at 19:04









          amsams

          4,38711123




          4,38711123























              0














              #% useradd -g somegroup someuser
              #% usermod -p "" someuser
              #% chage -d 0 someuser
              #% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
              #% /sbin/service sshd restart
              #% cp -r ~/.ssh `echo ~someuser`
              #% chown -R someuser `echo ~someuser`/.ssh
              #% chgrp -R somegroup `echo ~someuser`/.ssh
              #% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers


              >
              This should allow you to have users who can login only using public keys and can not
              use passwords for login. However he will be forced to change the password the first time he
              logs in...but without having to tell him somedummy password up front...The users will be
              simply asked to reset the password and subsequently they can use it only for sudo
              but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.



              Hope that helps






              share|improve this answer






























                0














                #% useradd -g somegroup someuser
                #% usermod -p "" someuser
                #% chage -d 0 someuser
                #% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
                #% /sbin/service sshd restart
                #% cp -r ~/.ssh `echo ~someuser`
                #% chown -R someuser `echo ~someuser`/.ssh
                #% chgrp -R somegroup `echo ~someuser`/.ssh
                #% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers


                >
                This should allow you to have users who can login only using public keys and can not
                use passwords for login. However he will be forced to change the password the first time he
                logs in...but without having to tell him somedummy password up front...The users will be
                simply asked to reset the password and subsequently they can use it only for sudo
                but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.



                Hope that helps






                share|improve this answer




























                  0












                  0








                  0







                  #% useradd -g somegroup someuser
                  #% usermod -p "" someuser
                  #% chage -d 0 someuser
                  #% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
                  #% /sbin/service sshd restart
                  #% cp -r ~/.ssh `echo ~someuser`
                  #% chown -R someuser `echo ~someuser`/.ssh
                  #% chgrp -R somegroup `echo ~someuser`/.ssh
                  #% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers


                  >
                  This should allow you to have users who can login only using public keys and can not
                  use passwords for login. However he will be forced to change the password the first time he
                  logs in...but without having to tell him somedummy password up front...The users will be
                  simply asked to reset the password and subsequently they can use it only for sudo
                  but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.



                  Hope that helps






                  share|improve this answer















                  #% useradd -g somegroup someuser
                  #% usermod -p "" someuser
                  #% chage -d 0 someuser
                  #% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
                  #% /sbin/service sshd restart
                  #% cp -r ~/.ssh `echo ~someuser`
                  #% chown -R someuser `echo ~someuser`/.ssh
                  #% chgrp -R somegroup `echo ~someuser`/.ssh
                  #% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers


                  >
                  This should allow you to have users who can login only using public keys and can not
                  use passwords for login. However he will be forced to change the password the first time he
                  logs in...but without having to tell him somedummy password up front...The users will be
                  simply asked to reset the password and subsequently they can use it only for sudo
                  but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.



                  Hope that helps







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Feb 3 '14 at 17:59

























                  answered Jan 27 '14 at 20:01









                  hardeephardeep

                  111




                  111






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37633%2fcan-a-linux-user-change-their-password-without-knowing-the-current-password%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      CARDNET

                      Boot-repair Failure: Unable to locate package grub-common:i386

                      濃尾地震