Allowing user to change the password

santhosh23 · 04-29-2007, 03:06 AM

Hi,

For security reasons i have disabled the root login for ssh access,i would like create individual user accounts and allow the user to ssh with their account and then su to root so that i will have track who was logged at what time.i want the users to change their password when try first login through ssh.how do allow the user to change the password....please advise.

Thanks,
Santhosh

avallach · 04-29-2007, 03:40 AM

You said that they will have root privileges, because of su ... So they should be able to change their password and the root password too.

SlackDaemon · 04-29-2007, 03:48 AM

Plus if your users have root privileges, they will be able to edit sshd_config to re-allow direct access via the root account. So this defeats the purpose of forcing an su.
A better solution would be to allow execution of specific commands with sudo and keep root access for yourself.

Tinkster · 04-29-2007, 01:54 PM

I second the sudo motion. Much more sensible. And no, I don't
mean a passwordless sudo for ANY command like is common in some
currently very popular distro (/me coughs).

Cheers,
Tink

jschiwal · 04-29-2007, 03:21 PM

Using sudo will log each command run as root, not just log when a person logs into ssh. It is difficult to configure sudoers so that all back doors are plugged preventing something like "sudo su -". For example, if the user is allowed to edit config files, then they will need to run a program like vim. Vim has a shell escape unless you start it as rvim, which would prevent the shell escape. A lot depends on how well you can trust the other users. Also, you can control who can use sudo by only allowing members of the "wheel" group to use it. This would allow regular users to access there accounts via ssh.

Not allowing root ssh logins is a common security measure. I'd recommend doing it simply for the internet security benefit alone. If you only have a handful of users with ssh access, I'd also recommend using "Allow Users" in the /etc/ssh/sshd_config to restrict logins from those users. Also enforce good passwords on your host.
This will eliminate logins to system users that script kiddies try. Also, don't add common users names allowed in the "allow users" list, such as bob or mike or the most common "God".

reverse · 04-30-2007, 12:50 AM

So I suppose the question is: Do your users need to be able to "su -" ?

santhosh23 · 04-30-2007, 01:01 AM

Hi,

I am sorry my mistake,i couldn't convey my issue correctly.By default i have root login for ssh access,i have disabled it in /etc/ssh/sshd_config ,i have create individual accounts for the users with default password,i want the users to change the password when they ssh for the first time and how do i give permission for a user to ssh access.Kindly advise

Thanks,
Santhosh

Micro420 · 04-30-2007, 01:32 AM

Code:

passwd -e username

Code:

vi /etc/ssh/sshd_config

AllowUsers username1 username2@192.168.1.2 username3@microsoft.com

reverse · 04-30-2007, 04:11 AM

Your users do not need access to the root account in order to be able to change THEIR passwords.

jschiwal · 05-01-2007, 03:36 AM

Technically, the "password" program is a suid program. However, it checks the real UID of the user to determine whether it is OK to change other users passwords. It is an suid program because altering /etc/passwd requires root permissions.

reverse · 05-01-2007, 05:40 AM

@ jschiwal: I'm not sure if that was destined to me. By "access to the root account" I meant being able to log in as root. I did not consider suid binaries owned by root to be "access to the root account".

jschiwal · 05-02-2007, 12:36 AM

I was just explaining how it works and why you don't need to be root to change your own password.