changing passwords

neel_learning_linux · 11-24-2010, 01:09 PM

Hello,

Here is what I want to do:
- I want to create\update Linux system users over the web. That involves changing the passwords.
- Worse part: I need to use some password policy.

Here is what I have done so far:

- useradd\usermod - the -p option works (useradd\usermod -p `perl -e 'print crypt(<password>, "salt")'` <username>
Problems:
--- only works when running commands in context of root. For other users, it gives, unable to lock password file.
--- does NOT care about ANY password policy - is there a way you can make it consider password policy (number of passwords to remember\password complexity)?

- passwd - if the one you have is without --stdin option then the only way is try with python\perl Expect modules but the output is too irregular for it to understand. Is there a way to install passwd with "--stdin" on debian?

-PAM - PAM supposedly does not set password. So you have pam_authenticate but nothing that will set password and I am not sure it will consider password policy

-Shadow suite - Shadow suite has setspent but again I do not believe it will consider password policy.

Please let me know if any of the above or other options let you change the password of the user as a root AND STILL APPLY password policy.

Thanks in advance,
-Neel.

neonsignal · 11-24-2010, 03:22 PM

The pam_cracklib plugin can be used in combination with passwd for strength checking.

neel_learning_linux · 11-24-2010, 04:19 PM

yes, I am already using that. The reason why it is not useful is because it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option. Because of that, I can either a) somehow run passwd through script like python pexpect module or b) check this all things through my own program. The disadvantage of the latter is that I will be writing my own passwd that would use pam_cracklib. In fact I did try finding out whether there is some documentation about which function to dlsym() from pam_cracklib but I couldn't find any.

I was wondering whether anyone has more elegant solution.

Thanks again,
-Neel.

neonsignal · 11-24-2010, 04:27 PM

Quote:

Originally Posted by neel_learning_linux

it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option

You could use chpasswd with pam_cracklib then. If you are going to use it non-interactively, then you'll have to check for errors afterwards.

neel_learning_linux · 11-25-2010, 10:07 AM

Nope, chpasswd does not care about password policy when run from root and it cannot be run from non-root context!

tanveer · 11-25-2010, 04:30 PM

To change password from web you can try
http://sarg.sourceforge.net/chetcpasswd.php
I am not sure though whether it preserves the policy in effect.

neonsignal · 11-25-2010, 05:10 PM

Quote:

Originally Posted by neel_learning_linux

chpasswd does not care about password policy when run from root

If you are using pam-cracklib as suggested, you need to have a pam policy line (depending on distro, in /etc/pam.d/common-password or in /etc/pam.d/system-auth). It will look something like this:

Code:

password required pam_cracklib.so retry=3 minlen=8 difok=3

Both passwd and chpasswd are constrained by this authorization check (I have tested this on a Debian system, but it is similar on most distros).

Quote:

and it cannot be run from non-root context!

Technically it can (/usr/sbin/chpasswd), but since it doesn't have authorization to change the password file, it can't do anything useful! But it is intended as a tool for batch changing passwords from root, not for users.

Matir · 11-29-2010, 08:34 PM

Whatever program you use will need to be setuid root if you want it called as a user. Might as well just use "passwd". This WILL respect PAM and will work when run as a user.