Can a linux user change their password without knowing the current password?
Solution 1
Sudo, in its most common configuration, requires the user to type their password. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned their console and been hijacked.
In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know their current password to change it to a different password. The passwd
program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd
prompt by running sudo passwd $USER
. If sudo
is configured to require the user's password, then the user must have typed the password to sudo
anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d
. To disable password authentication, comment out the auth … pam_unix.so
line in /etc/pam.d/common-auth
. Furthermore, make sure you have PasswordAuthentication no
in /etc/ssh/sshd_config
to disable sshd's built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.
Solution 2
You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
before the other auth
(or include
) entries in /etc/pam.d/sudo
and
Defaults env_keep += "SSH_AUTH_SOCK"
to /etc/sudoers
(via visudo
).
Now every user can either authenticate to sudo
via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c
such that each sudo
call will at least require some confirmation.
Solution 3
Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.
Basically, you do the following:
$ sudo -i
Now, we are root. We have access to everything.
# passwd $username
$username can be anyone's username.
Enter new UNIX password:
Retype new UNIX password: passwd: password updated successfully
Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.
Solution 4
#% useradd -g somegroup someuser
#% usermod -p "" someuser
#% chage -d 0 someuser
#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config
#% /sbin/service sshd restart
#% cp -r ~/.ssh `echo ~someuser`
#% chown -R someuser `echo ~someuser`/.ssh
#% chgrp -R somegroup `echo ~someuser`/.ssh
#% echo "%somegroup ALL=(ALL) ALL" >> /etc/sudoers
> This should allow you to have users who can login only using public keys and can not use passwords for login. However he will be forced to change the password the first time he logs in...but without having to tell him somedummy password up front...The users will be simply asked to reset the password and subsequently they can use it only for sudo but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.
Related videos on Youtube
cwd
Updated on September 18, 2022Comments
-
cwd over 1 year
I'm setting up a few
ubuntu
boxes, and using opscode'schef
as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.However, the users should also have
sudo
privileges though, which by default requires a password.If I want to use the users' public keys as a method of access management and allow the users
sudo
privileges, does that mean I should also set up the users withNOPASSWD: ALL
invisduo
, or is there a way that a user can change their own password if they only have public key authentication?-
sr_ about 12 years
-
cwd about 12 years@sr - doesn't look like this is a mainstream way of doing it...
-
humanityANDpeace over 11 yearsWhy do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go
man sudoers
will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user "self-password" setting without the need of a prior password. -
cwd over 11 years@humanityANDpeace - I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users' public keys and we have a sysadmin group with
NOPASSWD: ALL
that the team members are part of. If you can suggest a better solution please post it as an answer.
-
-
cwd about 12 yearslooks good but can you elaborate on what's going on here?
-
intractve about 12 yearsIt's not possible to do
sudo -i
without current user password. -
Tobias Kienzler over 11 yearsOn a related matter, there's pam_ssh, which allows to use your SSH passphrase instead of the unix one for login, automatically starting an agent and adding the key - thus providing you with a single sign-on possibility.
-
humanityANDpeace over 11 years@Miro. It is as you say. Still a
sudo bash
could be passwordless given that setup so in the/etc/sudoers
file. I think @jrg is as said more focusing on the insecurity issue with sudo here -
Antony over 10 yearshonestly, you don't have to do
sudo -i
, you can jump straight tosudo passwd $username
@Miro, you don't need to know the current user password. You only need to know the root password to use sudo -
Tobias Kienzler over 9 yearsone convenient way of using PAM in combination with SSH key authentication is via pam_ssh_agent_auth, which has the advantage of replacing the password prompt by the (theoretically even more secure) key authentication SSH can use anyway
-
still_dreaming_1 about 7 yearsso you are saying
sudo passwd
would change the password for the current user, not for the sudo user? -
Gilles 'SO- stop being evil' about 7 years@still_dreaming_1 No, I'm saying that a user who can run commands with
sudo
can change their own password. The exact command doesn't really matter, but to go into more detail, it would besudo passwd bob
wherebob
is the user's name, or something equivalent. With no argument,sudo passwd
would indeed change the password for root. -
Andrew Savinykh over 4 yearsSo, you are suggesting enabling
NOPASSWD: ALL
? You do not say this explicitly, but the way I read the answer, you must be implying this, because otherwise you answer does not seem to answer the question. Could you please clarify? -
Gilles 'SO- stop being evil' over 4 years@AndrewSavinykh I don't recommend any particular solution. I'm just explaining how the various bits of software involved work. The best configuration depends on what compromise you want to make between security, ease of use, ease of administration, flexibility, etc.