Originally Posted by slufoot80
Well they could login via ssh or sftp so I want for them to change their own password, i.e.
1) they forgot their password then they can make request to change it, get a webpage link, click on it and change their password without any interaction from me and it will delete it and and get the password from "/dev/urandom" set it and display it back to them securely but also I want it logged somewhere or maybe somekind of approval maybe from help desk
If approval from help desk is required (not unreasonable), then why use a web page other than to generate a random string?
So how are you going to authenticate the web page? And you do get the irony of "display it back to them securely" right? A displayed password is not a secure password.
And practice shows that random passwords will get written down.
Also, if you have a number of remote users why not use kerberos? - Then you can specifically authorize the user support personnel with the ability to change passwords. You also get the advantage that no passwords ever cross the network (other than when specifically changing the password - and that only happens between the user/help desk and the KDC).