LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   changing passwords - is there any decent way out? (http://www.linuxquestions.org/questions/linux-security-4/changing-passwords-is-there-any-decent-way-out-846328/)

neel_learning_linux 11-24-2010 02:09 PM

changing passwords - is there any decent way out?
 
Hello,

Here is what I want to do:
- I want to create\update Linux system users over the web. That involves changing the passwords.
- Worse part: I need to use some password policy.

Here is what I have done so far:

- useradd\usermod - the -p option works (useradd\usermod -p `perl -e 'print crypt(<password>, "salt")'` <username>
Problems:
--- only works when running commands in context of root. For other users, it gives, unable to lock password file.
--- does NOT care about ANY password policy - is there a way you can make it consider password policy (number of passwords to remember\password complexity)?

- passwd - if the one you have is without --stdin option then the only way is try with python\perl Expect modules but the output is too irregular for it to understand. Is there a way to install passwd with "--stdin" on debian?

-PAM - PAM supposedly does not set password. So you have pam_authenticate but nothing that will set password and I am not sure it will consider password policy

-Shadow suite - Shadow suite has setspent but again I do not believe it will consider password policy.

Please let me know if any of the above or other options let you change the password of the user as a root AND STILL APPLY password policy.

Thanks in advance,
-Neel.

neonsignal 11-24-2010 04:22 PM

The pam_cracklib plugin can be used in combination with passwd for strength checking.

neel_learning_linux 11-24-2010 05:19 PM

yes, I am already using that. The reason why it is not useful is because it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option. Because of that, I can either a) somehow run passwd through script like python pexpect module or b) check this all things through my own program. The disadvantage of the latter is that I will be writing my own passwd that would use pam_cracklib. In fact I did try finding out whether there is some documentation about which function to dlsym() from pam_cracklib but I couldn't find any.

I was wondering whether anyone has more elegant solution.

Thanks again,
-Neel.

neonsignal 11-24-2010 05:27 PM

Quote:

Originally Posted by neel_learning_linux (Post 4170021)
it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option

You could use chpasswd with pam_cracklib then. If you are going to use it non-interactively, then you'll have to check for errors afterwards.

neel_learning_linux 11-25-2010 11:07 AM

Nope, chpasswd does not care about password policy when run from root and it cannot be run from non-root context!

tanveer 11-25-2010 05:30 PM

To change password from web you can try
http://sarg.sourceforge.net/chetcpasswd.php
I am not sure though whether it preserves the policy in effect.

neonsignal 11-25-2010 06:10 PM

Quote:

Originally Posted by neel_learning_linux (Post 4170901)
chpasswd does not care about password policy when run from root

If you are using pam-cracklib as suggested, you need to have a pam policy line (depending on distro, in /etc/pam.d/common-password or in /etc/pam.d/system-auth). It will look something like this:
Code:

password required pam_cracklib.so retry=3 minlen=8 difok=3
Both passwd and chpasswd are constrained by this authorization check (I have tested this on a Debian system, but it is similar on most distros).

Quote:

and it cannot be run from non-root context!
Technically it can (/usr/sbin/chpasswd), but since it doesn't have authorization to change the password file, it can't do anything useful! But it is intended as a tool for batch changing passwords from root, not for users.

Matir 11-29-2010 09:34 PM

Whatever program you use will need to be setuid root if you want it called as a user. Might as well just use "passwd". This WILL respect PAM and will work when run as a user.


All times are GMT -5. The time now is 09:41 AM.