Ssh – Can a linux user change their password without knowing the current password

passwordsshsudoUbuntuusers

I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.

However, the users should also have sudo privileges though, which by default requires a password.

If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?

Best Answer

Sudo, in its most common configuration, requires the user to type their password. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned their console and been hijacked.

In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.

A user normally needs to know their current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.

You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.

You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.

Related Solutions

SSH – Use SFTP with Sudo for Root Access and SSH Key Authentication

SFTP is a command access to file operations, with the restrictions from the account you use. You must use ssh for make more administrative operations, making impossible use sudo and SFTP at same time. If you need access to the entire disk without restriction using SFTP, do it using the root account. Anyway you can make a login with root on sftp and ssh at same time, of course, using two different sessions.

The security keys improve the security and make more easy the logging, not requiring keyboard input. Only helps to make login, you can had several passwords for every account user and had the same effect.

EDIT: I forgot: you can create another account with the same effect than root if you assign the user id to 0, but not had any sense, being dangerous in the same way. Could give some obfuscation if somebody try to login like root, but apart of that, not had much sense.

User created without a password behaves as if he had one

A user is created by default as a locked account. The field that should contain the password hash in /etc/shadow will contain !!. When an account is locked, that account is available to root only (root can su but logins aren't allowed). If you 'unlock' the account which simply removes the !! you will be allowed to change the password.

[root@test ~]# su - test
[test@test ~]$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password:
[test@test ~]$ exit
logout
[root@test ~]# passwd -u test
Unlocking password for user test.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)
[root@test ~]# passwd -u test -f
Unlocking password for user test.
passwd: Success
[root@test ~]# su - test
[test@test ~]$ passwd
Changing password for user test.
New password:

Best Answer

Related Solutions

SSH – Use SFTP with Sudo for Root Access and SSH Key Authentication

User created without a password behaves as if he had one

Related Question