How to set a password that violates password constraints without changing constraints using sudo

passwordsudo

I have root access on a machine shared by others. I think the password constraints are absurd, they are overly excessive in how they mandate the use and ordering of non word characters and make passwords slow to type due to the constant need to use special characters breaking up the password (even though I type I'm always minutely slower with special characters, it seems to break my flow). I can create a long & secure password without the constraints. I want to use my root access to circumvent the password rules to create a password I like and can type quickly.

However, I don't want to change the password constraints themselves. Or more accurately I DO want to change them, I think they are idiotic and don't actually add to security as written, but I shouldn't change them since that is being regulated by a higher authority.

Is there a way I can exploit my root access to set a password that violates these constraints without changing the constraints for anyone else on the system?

Best Answer

You could try printf "%s\n" 'username:encryptedpassword' | sudo chpasswd -e - that may be able to bypass the password checking enforced by PAM.

The password must be pre-encrypted, e.g. as in the mkpasswd example by muru. For example:

p=$(mkpasswd -m sha-512 'mysupersekretpassword')
printf "%s:%s\n" 'username' "$p" | sudo chpasswd -e

I'm using printf here rather than echo because echo will interpret and change the ouput for some character sequences that may occur in the crypted password, e.g. \t, \n, \nnn (3-digit octal) and others.

Remember to delete the mkpasswd command from your .bash_history. Or use export HISTCONTROL=ignorespace and prefix the p=$(...) command with a space so it never gets stored in the history. If you are not using bash, use whichever method is appropriate for your shell.

Related Solutions

Change root password by sudo, without su

So you want to run something like sudo passwd root?

Why sudo Command Executes Without Prompting for Password

Say sudo -K, then retry your test. If it starts asking again, all that was happening is that you had sudo configured to remember your password for some time.

On top of this, Ubuntu's default sudo configuration makes it remember your credentials across ttys. This affects ssh sessions, as you've discovered, since each new ssh connection looks like a new terminal to the low-level OS code.

This also affects things like the graphical Terminal app. If you authenticate with sudo, then create a new tab with Ctrl-Shift-T, you'll find that you don't need to give a password to sudo again in that tab, despite the fact that it also creates a new tty. You can even close the Terminal app entirely, and as long as you restart it within the normal password timeout, sudo will run without requiring you to re-enter your password. This behavior may be enough to make you decide you want to keep this feature enabled.

Mac OS X works this way these days, too.

Not all *ixes do. Red Hat Enterprise Linux (and derivatives like CentOS) insist on getting the password on each new tty.

You can disable both behaviors by changing the Defaults line in /etc/sudoers to something like this:

Defaults=env_reset,timestamp_timeout=0,tty_tickets

The env_reset bit should be there already, and isn't relevant here
The timestamp_timeout directive tells it to immediately time out each sudo session. It's like saying sudo -K after every normal sudo command.
The tty_tickets directive ensures that it associates credentials with the tty they were used on, not just the user name. This is supposed to be the default already, and is documented as such on Ubuntu, but they must have built their distribution of sudo to disable this option, for the convenience reasons given above.

Best Answer

Related Solutions

Change root password by sudo, without su

Why sudo Command Executes Without Prompting for Password

Related Question