Re: Forcing new password at login (w/o requiring an old password) (sudo related)
From: Darren Dunham (ddunham_at_redwood.taos.com)
Date: 08/22/05
- Previous message: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
- In reply to: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
- Next in thread: all mail refused: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Aug 2005 19:38:49 GMT
Andrew Gideon <c182driver@gideon.org> wrote:
> The solution I envision is, upon the first login (done via the key pair,
> recall), the user is required to enter a password. This becomes the new
> password, and is ultimately used for sudo's authentication.
If they're sending you a SSH key, I suppose they could send you a system
password encoding also. That's two things to send instead of one, but
it's one way.
> How can I force the need to provide the password? Password aging-based
> techniques get close, but I cannot quite get the entire way. I can warn,
> but I cannot force (unless you include eventually locking the account as
> "forcing" {8^).
> Then there's the matter of getting the 'passwd' command to work w/o having
> the previous password. If I set a blank password, this works. But while
> the password is blank, the user can sudo w/o additional authentication even
> if sudo is supposed to be prompting for a password. There may be other
> consequences of a blank password that would be unfortunate.
> I feel like there's some simple twist to this that I'm missing which would
> make this all just fall into place. Can anyone suggest what I'm
> missing?
I might have a script that would call 'passwd', then verify the stored
password is no longer blank (""), then amend sudoers so that the user is
in place. Prior to that, the user would not be in sudoers and would
have no additional privileges.
-- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >
- Previous message: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
- In reply to: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
- Next in thread: all mail refused: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
