Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Giving non-shell users a way to change their passwords
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Captain Kirk
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2003
Posts: 146
Location: USA

PostPosted: Sun Jun 08, 2014 10:22 pm    Post subject: Giving non-shell users a way to change their passwords Reply with quote

A little bit of background. One of my machines is a login host, web and mail server all rolled into one. There are users that can shell in and there are those that can't. The ones that cannot usually just have a mail-only or web-only account. Their shells are set to nologin and they're denied SSH access (or setup with an internal-sftp chroot for web hosting). This has worked out really well so far. The one difficulty I often encounter is trying to figure out how to allow the users to change their passwords without shell access. Since it's a good security practice and there's increased awareness on password security post-Heartbleed, I'd love to provide end users this functionality on my server.

Most of the packages out there to serve this purpose are either severely out of date or have known vulnerabilities. I'd roll my own, but I feel like it couldn't possibly be as secure. Asking in other forums has led to people suggesting I install webadmin or cPanel :evil:.

Any suggestions?
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5588
Location: Removed by Neddy

PostPosted: Mon Jun 09, 2014 7:16 am    Post subject: Reply with quote

Does the server have a httpd running and can it run https?
A simple CGI should facilitate this using POST to minimise mitm to then locally call passwd
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Captain Kirk
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2003
Posts: 146
Location: USA

PostPosted: Mon Jun 09, 2014 7:26 am    Post subject: Reply with quote

Naib wrote:
Does the server have a httpd running and can it run https?
A simple CGI should facilitate this using POST to minimise mitm to then locally call passwd

It does. I suppose I could craft one. Wouldn't some part of that process have to be setuid, though?

Another idea I came up with was having sshd listen on another port and use Match to force users connecting on that port to only run passwd. What do you think?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Mon Jun 09, 2014 9:57 am    Post subject: Reply with quote

I'm not sure if it would work, but two things come to my mind:

1) set their shell to $(which passwd)
2) make a group for them (like nologin or something) and in sshd config use group-wide force-command option

for example I have
Code:
Match Group sftp
   ForceCommand internal-sftp


I'd expect either of those to do the trick, but well, never tried.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum