Re: Avoid changing password

"int" <alefor@xxxxxxxxx> writes:

Unruh writes:

"int" <alefor@xxxxxxxxx> writes:
some users on my Linux systems must not change their password.
Weird. Usually people want users to change their passwords. Is this because
you want to share their passwords around? Bad idea. Maybe if you told us
what you want to accomplish by this strange idea we could give better ways
of accomplishing it.

Yes I know. It's bad, weird, scrap ... but it's not my choice.

"... It wasn't my fault ..." (The Blues Brothers).

The systems are offline and the password shared between users, the same
account is used by more people, and for this reason I need to deny
password changes. Sorry.
Please, don't speculate about the reasons for this.

I am not speculating I am trying to see if suggestions can be made to
imporve the situation.

a) many users can share a uid. Each can have their own password. This would
make them all equivalent as far as the system is concerned but they could
have their own passwords which they may be able to better memorize. The
main problem is that of course that account is then only as strong as the
weakest password. But with people sharing the password that is not a
problem, since the insecurity elsewhere is far greater.

b) have people log on as themselves using their own account and password.
Then they ssh into the common account using rsa/dsa public key access.



If the below is an accurate reflection of what is in the pam files, it is a
mess-- totally inappropriate line breaks. If it is a posting error, plse
make sure what you post is an accurate reflection of what is in those
files, or help will be very hard to get.

Yes it was a posting error. I cut and paste but didn't pay too much
attention later.
The first line is the only I add to the Red Hat EL3 defaults.
I don't know anything about PAM, it's my first attempt after starting
reading about since today.

I'll provide a new post with correct line breaks next time I access one
of those systems.

And what is "requisite" supposed to mean? Did you mean "required"

As I understood, "required" wants all modules get processed and all of
them returning ok.
"requisite" is the same, but if a module fails, the succeeding are not
processed.
Is this right? It should be like having or not logical shortcuts in C
expression like a & b & c & ... .

I have never seen the requisite command. And have not seen it looking
through the pam documentation.



Also you said that that list was required for authentication. Not for
password.

Well.. as I understood, in /usr/bin/passwd, auth plays the role to ask
the first password. For this, I thought to block the auth step at
first, without going on asking new password.

But a non-PAM solution, if exists, would be appreciated too ...

You could always just remove passwd ( or make it useable only by root) or
make it runable only by a group which does not include the accounts in
questions.

/etc/group

passwdallow:*: able,baker,eddy,gamma
and chgrp passwdallow /bin/passwd
chmod o-rwx /bin/passwd




.