Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Here is what I want to do:
- I want to create\update Linux system users over the web. That involves changing the passwords.
- Worse part: I need to use some password policy.
Here is what I have done so far:
- useradd\usermod - the -p option works (useradd\usermod -p `perl -e 'print crypt(<password>, "salt")'` <username>
--- only works when running commands in context of root. For other users, it gives, unable to lock password file.
--- does NOT care about ANY password policy - is there a way you can make it consider password policy (number of passwords to remember\password complexity)?
- passwd - if the one you have is without --stdin option then the only way is try with python\perl Expect modules but the output is too irregular for it to understand. Is there a way to install passwd with "--stdin" on debian?
-PAM - PAM supposedly does not set password. So you have pam_authenticate but nothing that will set password and I am not sure it will consider password policy
-Shadow suite - Shadow suite has setspent but again I do not believe it will consider password policy.
Please let me know if any of the above or other options let you change the password of the user as a root AND STILL APPLY password policy.
yes, I am already using that. The reason why it is not useful is because it's near impossible to run passwd non-interactively and get any work done because debian passwd does not have --stdin option. Because of that, I can either a) somehow run passwd through script like python pexpect module or b) check this all things through my own program. The disadvantage of the latter is that I will be writing my own passwd that would use pam_cracklib. In fact I did try finding out whether there is some documentation about which function to dlsym() from pam_cracklib but I couldn't find any.
I was wondering whether anyone has more elegant solution.
Both passwd and chpasswd are constrained by this authorization check (I have tested this on a Debian system, but it is similar on most distros).
and it cannot be run from non-root context!
Technically it can (/usr/sbin/chpasswd), but since it doesn't have authorization to change the password file, it can't do anything useful! But it is intended as a tool for batch changing passwords from root, not for users.