Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here is what I want to do:
- I want to create\update Linux system users over the web. That involves changing the passwords.
- Worse part: I need to use some password policy.
Here is what I have done so far:
- useradd\usermod - the -p option works (useradd\usermod -p `perl -e 'print crypt(<password>, "salt")'` <username>
Problems:
--- only works when running commands in context of root. For other users, it gives, unable to lock password file.
--- does NOT care about ANY password policy - is there a way you can make it consider password policy (number of passwords to remember\password complexity)?
- passwd - if the one you have is without --stdin option then the only way is try with python\perl Expect modules but the output is too irregular for it to understand. Is there a way to install passwd with "--stdin" on debian?
-PAM - PAM supposedly does not set password. So you have pam_authenticate but nothing that will set password and I am not sure it will consider password policy
-Shadow suite - Shadow suite has setspent but again I do not believe it will consider password policy.
Please let me know if any of the above or other options let you change the password of the user as a root AND STILL APPLY password policy.
yes, I am already using that. The reason why it is not useful is because it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option. Because of that, I can either a) somehow run passwd through script like python pexpect module or b) check this all things through my own program. The disadvantage of the latter is that I will be writing my own passwd that would use pam_cracklib. In fact I did try finding out whether there is some documentation about which function to dlsym() from pam_cracklib but I couldn't find any.
I was wondering whether anyone has more elegant solution.
chpasswd does not care about password policy when run from root
If you are using pam-cracklib as suggested, you need to have a pam policy line (depending on distro, in /etc/pam.d/common-password or in /etc/pam.d/system-auth). It will look something like this:
Both passwd and chpasswd are constrained by this authorization check (I have tested this on a Debian system, but it is similar on most distros).
Quote:
and it cannot be run from non-root context!
Technically it can (/usr/sbin/chpasswd), but since it doesn't have authorization to change the password file, it can't do anything useful! But it is intended as a tool for batch changing passwords from root, not for users.
Whatever program you use will need to be setuid root if you want it called as a user. Might as well just use "passwd". This WILL respect PAM and will work when run as a user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.