Re: Forcing new password at login (w/o requiring an old password) (sudo related)

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 08/24/05

Next message: Chris Cahoon: "Re: Cannot disconnect using PuTTY's psftp.exe"

Previous message: Darren Tucker: "Re: SCP via SSH tunnel works, then not, then works again"
In reply to: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
Next in thread: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
Reply: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 24 Aug 2005 14:40:20 GMT

On 2005-08-22, Andrew Gideon <c182driver@gideon.org> wrote:
[...]
> How can I force the need to provide the password? Password aging-based
> techniques get close, but I cannot quite get the entire way. I can warn,
> but I cannot force (unless you include eventually locking the account as
> "forcing" {8^).

If you're using PAM then the user will be forced to set a new password
when the existing one expires regardless of the authentication method.

> Then there's the matter of getting the 'passwd' command to work w/o having
> the previous password. If I set a blank password, this works. But while
> the password is blank, the user can sudo w/o additional authentication even
> if sudo is supposed to be prompting for a password. There may be other
> consequences of a blank password that would be unfortunate.

That's the tricky bit. If you could prevent PAM from asking for the old
password then it would work. I can't think of any way to do this that
doesn't involve hacking some code somewhere, though.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Next message: Chris Cahoon: "Re: Cannot disconnect using PuTTY's psftp.exe"

Previous message: Darren Tucker: "Re: SCP via SSH tunnel works, then not, then works again"
In reply to: Andrew Gideon: "Forcing new password at login (w/o requiring an old password) (sudo related)"
Next in thread: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
Reply: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication passwo
... > Thats why I assumed the clear text passwd. ... Debian's sshd is built with PAM, so I suspect what you see as logging ... the version of OpenSSH Debian uses doesn't use PAM ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: Problem with Openssh 3.6.1p2
... > I am having a problem with openssh 3.6.1p2 where it seems to access the PAM ... > routines BEFORE it gets a password. ... Good judgement comes with experience. ...
(SSH)
Re: AllowUsers reference a file
... If you use PAM with sshd you can get PAM to do it, ... then add "AllowGroups admins" to ... sshd_config and SIGHUP sshd when you want to restrict access. ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: OpenSSH 3.7.1p1 & PAM authentication on Solaris 8
... >>and below seem to work fine on solaris 8 with pam. ... When i compile ... >>skip the authentication module, however it seems to read the session ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: Status of pam-1@ssh.com authentication in OpenSSH?
... method which OpenSSH does not understand. ... The best solution would be to have your employer allow a standard ... authentication method in addition to the vendor- ... Good judgement comes with experience. ...
(comp.security.ssh)