Re: Forcing new password at login (w/o requiring an old password) (sudo related)

From: Andrew Gideon (c182driver_at_gideon.org)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 12:49:44 -0400

Darren Tucker wrote:

> On 2005-08-22, Andrew Gideon <c182driver@gideon.org> wrote:
> [...]
>> How can I force the need to provide the password? Password aging-based
>> techniques get close, but I cannot quite get the entire way. I can warn,
>> but I cannot force (unless you include eventually locking the account as
>> "forcing" {8^).
>
> If you're using PAM then the user will be forced to set a new password
> when the existing one expires regardless of the authentication method.

What I found in testing is that I could expire the password, which prevents
login (even via the key pair). But I never saw the message that should be
appearing when in the warning period.

So I can force expiration, but - w/o the warning - that doesn't help as much
as I'd like.

>> Then there's the matter of getting the 'passwd' command to work w/o
>> having
>> the previous password. If I set a blank password, this works. But while
>> the password is blank, the user can sudo w/o additional authentication
>> even
>> if sudo is supposed to be prompting for a password. There may be other
>> consequences of a blank password that would be unfortunate.
>
> That's the tricky bit. If you could prevent PAM from asking for the old
> password then it would work. I can't think of any way to do this that
> doesn't involve hacking some code somewhere, though.

The only way I've thought to do this (w/o code) is a NOPASSWD sudo to
"passwd $USER". But then that would need to be added and removed at the
appropriate times, which involves code.

So a local passwd for this purpose may be the simpler solution.

 - Andrew