Reset user’s password without root
Is there any way to allow non-root users to change other user’s password. Specifically, is there a way to grant help desk employees the ability to do password resets. The help desk already can reset Windows passwords, which is easy to delegate out. These are on a variety of server types, although most on HP-UX. Unfortunately, the applications that run on the server prevents us from using LDAP, so these servers are independent and users forget their passwords. Often. Requiring a server admin who knows the root password, especially in the middle of the night, is a waste of resources. If it is possible, does it also prevent the user from changing root, like Windows prevents users from changing admin passwords from non-admin accounts.
4 Answers 4
Add a group called helpdesk and add all heldesk users to it. Then add the following to sudoers file.
Now they can sudo to change passwords but nothing else.
Given that HP-UX is said to support PAM, I dare to mention the following tentative clean approach to solving this problem here:
use pam_tcb (tcb — the alternative to /etc/shadow), and there’ll be users’ password files per user — they can be manipulated without root’s rights (in fact, in Owl, passwd isn’t setUID root), and you can give the permission to modify the passwords of certain users (and not the other ones, say, «root») to a specific group (by simply modifying the permissions of the shadow files).
But it’s not a practical ready solution yet probably, because I don’t see a port of pam_tcb to HP-UX.
Update: Nevermind, passwd is already setuid root. Oops.
You could give the setuid attribute to the passwd program. Just do
sudo chmod u+s `which passwd`
Then make sure only certain users can use it so change the group and restrict permissions:
sudo chgrp password_reset_delegates `which passwd` sudo chmod 770 `which passwd`
And add your users to that group
sudo adduser frank password_reset_delegates sudo adduser barbara password_reset_delegates
You may want to make a copy of the passwd program without the setuid so that other users can change their own password.
Alternatively, you could set up sudo and allow sudo access to only the passwd program for the helpdesk users.
Change password without root access
I have an access to my account on VPS over SSH. Some time ago, I changed my password and forgot it. But still, I can log over my SSH key. It was enough for a while, but now I need to login from another device, so it’s time to recover my password. How do I change my password without knowing the old one (without root access)?
I would say it depends on the type of VPS. If it’s a true VPS and they have spun up a dedicated VM for that instance, I highly doubt they have direct access to the account. However, if they simply allocated an account for you to use on a shared server instance then yeah, they should be able to reset it.
Can you load an Live ISO, if so I’d assume the fix is relatively trivial, also depending on your kernel version look into using dirty cow
1 Answer 1
The short answer is, without knowing your current password and without root/sudo access, you can’t change your password. The basic *NIX security model does not allow mortal users to change passwords for accounts they lack the rights to access.
Doing what you want would requite root (sudo) access or at least read access to the passwd and shadow files if you wanted to run cracking software on them.
If you can access your account over your SSH key (not sure what you mean by that), then you will have access to your account and thus, MIGHT be able to change your password with some finagling. For example, creating a trust relationship using .rhost that will allow people with the same username access without requiring a password. Needless to say, this is a dangerous vulnerability and is discouraged.
Most distros that I am aware of require users to know their current password before they can change it. This, again, is part of the basic *NIX security model that has been in effect for around 50 years.
The moral to the story, of course, if to have some sort of a standard username/password management plan so that forgetting your password is recoverable.
Can a linux user change their password without knowing the current password?
I’m setting up a few ubuntu boxes, and using opscode’s chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication. However, the users should also have sudo privileges though, which by default requires a password. If I want to use the users’ public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo , or is there a way that a user can change their own password if they only have public key authentication?
Why do you want your users to have sudo priveleges? I hope you are aware that you give away a root access by this. There might be a chance here to invest some time and allow only a subset of commands to be used in connection with sudo (which would be maybe less insecure). Go man sudoers will yield info about having certain commands being able to run with sudo without user password necessary at all. You can even add a shellscript to /etc/sudoers which would allow a per user «self-password» setting without the need of a prior password.
@humanityANDpeace — I realize this. Our team members all require root access to the cloud servers we maintain. We are now using chef to manage users’ public keys and we have a sysadmin group with NOPASSWD: ALL that the team members are part of. If you can suggest a better solution please post it as an answer.
6 Answers 6
Sudo, in its most common configuration, requires the user to type their password. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn’t abandoned their console and been hijacked.
In your setup, the user’s password would be used only for authentication to sudo. In particular, if a user’s SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.
A user normally needs to know their current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user’s password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER . If sudo is configured to require the user’s password, then the user must have typed the password to sudo anyway.
You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d . To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth . Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd’s built-in password authentication.
You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it’s pretty flexible), but I couldn’t tell you how off the top of my head; ask a separate question if you need help.