2

This is a pretty odd question, but I'd like my users to be able to change their passwords for my FTPS server, which is using local accounts. Currently all these users have /bin/false set as shell, but would it be possible to set a shell which would allow the user to change password and then disconnect him? I tried setting /usr/bin/passwd, but it just disconnects after filling in current password.

I am using Debian Wheezy.

Steen Schütt
  • 432
  • 3
  • 14
  • 2
    I can't reproduce your problem with /usr/bin/passwd as shell. As long as I enter the correct current password, I'm able to set a new one before I get logged out. – etagenklo Jun 07 '13 at 12:32
  • @etagenklo Mine reports Authentication token manipulation error regardless of wether the password is correct or not. Interesting. Which OS are you using for this? – Steen Schütt Jun 07 '13 at 13:00
  • This is on Debian Squeeze. – etagenklo Jun 07 '13 at 13:05
  • @etagenklo I tried logging in to bash and ran passwd again, but this seems to be a problem with passwd and not using it as a shell, because it doesn't work for normal users from bash either. Any suggestions? – Steen Schütt Jun 07 '13 at 15:53
  • check `/etc/shadow` if there's a line for the user inside. If not, try to recreate `/etc/shadow` with `pwconv`. If this still doesn't work, remove the password for the user via `sudo passwd -d username` and set it again via `sudo passwd username`. Then try again. – etagenklo Jun 07 '13 at 16:00
  • @etagenklo There is a password for the user in it and it is exactly the same as the root password – Steen Schütt Jun 07 '13 at 16:19

2 Answers2

3

You could probably do something with ssh force-commands in the ~/.ssh/authorized_keys file. This works on a CentOS system I have to hand. Change the authorized_key file entry for the relevant key so that it runs passwd

command="/usr/bin/passwd" ssh-rsa AAAAB3NzaC1yc2EAA...

When someone logs in using that key the /usr/bin/passwd program (and only that program) will be run.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • Well thought, but still not quite what I'm looking for, because I'd have to teach my users how to convert their private keys and how to use them. Still +1 for a very good answer! – Steen Schütt Jun 07 '13 at 15:54
  • @TimeSheep: Educate them then. – user9517 Jun 07 '13 at 16:29
  • @lain I wouldn't do it if I don't have to. This is not about being dodgy, but it's going to require their current password anyway, and the other services do not all allow for PKA either way. This is all just for filesharing among users on a forum, no big deal. – Steen Schütt Jun 07 '13 at 17:16
1

I believe the solution to your problem is Usermin.

http://www.webmin.com/usermin.html

Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console. See the standard modules page for a list of all the functions built into Usermin.

Depending on your system type, installation should be quite simple as the *min packages offer RPM/Yum Repositories/etc.

Ryan
  • 282
  • 3
  • 11
  • 1
    Hmm, I might try installing webmin and usermin again, I've used it before. Using a different shell just seems like a far more lightweight solution, so I'm still looking for that. – Steen Schütt Jun 07 '13 at 12:13
  • I agree, it would be more lightweight. Personally though - from a security standpoint, I try to keep users away from shell and I think webmin fits that bill nicely. – Ryan Jun 07 '13 at 13:41
  • True, I've also just thought of binding SSHD to a different IP address which I use for private stuff (So all services except FTP seem closed). I don't think I want to let them change password then, it's not essential, and I wouldn't mind managing these 40-50 users manually when that's all I have to do. After all, the users are from a hacking forum, I believe they are smart enough to remember their passwords :) – Steen Schütt Jun 07 '13 at 15:36