LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-24-2010, 01:09 PM   #1
neel_learning_linux
LQ Newbie
 
Registered: May 2008
Posts: 13

Rep: Reputation: 0
changing passwords - is there any decent way out?


Hello,

Here is what I want to do:
- I want to create\update Linux system users over the web. That involves changing the passwords.
- Worse part: I need to use some password policy.

Here is what I have done so far:

- useradd\usermod - the -p option works (useradd\usermod -p `perl -e 'print crypt(<password>, "salt")'` <username>
Problems:
--- only works when running commands in context of root. For other users, it gives, unable to lock password file.
--- does NOT care about ANY password policy - is there a way you can make it consider password policy (number of passwords to remember\password complexity)?

- passwd - if the one you have is without --stdin option then the only way is try with python\perl Expect modules but the output is too irregular for it to understand. Is there a way to install passwd with "--stdin" on debian?

-PAM - PAM supposedly does not set password. So you have pam_authenticate but nothing that will set password and I am not sure it will consider password policy

-Shadow suite - Shadow suite has setspent but again I do not believe it will consider password policy.

Please let me know if any of the above or other options let you change the password of the user as a root AND STILL APPLY password policy.

Thanks in advance,
-Neel.
 
Old 11-24-2010, 03:22 PM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
The pam_cracklib plugin can be used in combination with passwd for strength checking.
 
Old 11-24-2010, 04:19 PM   #3
neel_learning_linux
LQ Newbie
 
Registered: May 2008
Posts: 13

Original Poster
Rep: Reputation: 0
yes, I am already using that. The reason why it is not useful is because it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option. Because of that, I can either a) somehow run passwd through script like python pexpect module or b) check this all things through my own program. The disadvantage of the latter is that I will be writing my own passwd that would use pam_cracklib. In fact I did try finding out whether there is some documentation about which function to dlsym() from pam_cracklib but I couldn't find any.

I was wondering whether anyone has more elegant solution.

Thanks again,
-Neel.
 
Old 11-24-2010, 04:27 PM   #4
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Quote:
Originally Posted by neel_learning_linux View Post
it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option
You could use chpasswd with pam_cracklib then. If you are going to use it non-interactively, then you'll have to check for errors afterwards.
 
Old 11-25-2010, 10:07 AM   #5
neel_learning_linux
LQ Newbie
 
Registered: May 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Nope, chpasswd does not care about password policy when run from root and it cannot be run from non-root context!
 
Old 11-25-2010, 04:30 PM   #6
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 489

Rep: Reputation: 37
To change password from web you can try
http://sarg.sourceforge.net/chetcpasswd.php
I am not sure though whether it preserves the policy in effect.
 
Old 11-25-2010, 05:10 PM   #7
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Quote:
Originally Posted by neel_learning_linux View Post
chpasswd does not care about password policy when run from root
If you are using pam-cracklib as suggested, you need to have a pam policy line (depending on distro, in /etc/pam.d/common-password or in /etc/pam.d/system-auth). It will look something like this:
Code:
password required pam_cracklib.so retry=3 minlen=8 difok=3
Both passwd and chpasswd are constrained by this authorization check (I have tested this on a Debian system, but it is similar on most distros).

Quote:
and it cannot be run from non-root context!
Technically it can (/usr/sbin/chpasswd), but since it doesn't have authorization to change the password file, it can't do anything useful! But it is intended as a tool for batch changing passwords from root, not for users.
 
Old 11-29-2010, 08:34 PM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 116Reputation: 116
Whatever program you use will need to be setuid root if you want it called as a user. Might as well just use "passwd". This WILL respect PAM and will work when run as a user.
 
  


Reply

Tags
passwd, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
changing passwords in bulk vaalu Linux - Newbie 5 01-02-2008 06:04 AM
Changing RHEL su passwords... bcleary Red Hat 3 06-12-2007 11:30 AM
Changing Passwords dboogie Linux - Newbie 2 05-02-2004 10:45 PM
Changing passwords - URGENT Lloydlec Linux - Security 1 03-16-2004 07:22 AM
Changing Passwords TheRealDeal Linux - General 3 01-20-2004 11:01 PM


All times are GMT -5. The time now is 06:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration