Send email when user changes password

Question

I have a remote server to which I login using ssh. Is there a way to be notified through email (using a bash script) when someone changes the user password using passwd including the new password?

I am guessing it has to do with /etc/pam/passwd, but not entirely sure what the trigger and flags should be.

This would be useful if for example I give my access to a "friend" and they decide to lock me out of my account. Of course I could create a new account for them etc, but this is more of a "it should be possible" task rather than a practical one.

Don't give away access to accounts you need. Ever. Create new accounts with proper rights. Always. And regarding your question, I'd venture to respond with a tentative "No.". — HonkyTonk, Apr 11 '12 at 10:12
@HonkyTonk as I pointed out, I could just create a new account, but I am exploring other possibilities (probably unrealistic) just for the sake of argument. — masimplo, Jul 12 '12 at 21:33
@noa there are so many sub-sites of stack exchange these days I can barely keep track of them :D. Thanks for pointing that out. — masimplo, Jul 12 '12 at 21:34

score 2 · Answer 1 · edited Jun 20 '20 at 09:12

First, a Dope Slap

There's a rule that this question reminds me of... What is it? Oh yeah...

NEVER SHARE YOUR PASSWORDS WITH ANYONE!

Which also goes well with the rule.

NEVER SEND SOMETHING SECRET THROUGH EMAIL!

Sorry for the shouting. There's a rule in security that the likelihood a secret will get out is the square of the number of people who know it. My corollary is:

if ( people_who_know_secret > 1 ) {
     It ain't a secret any more
}

In Unix, even the system administrator, the all powerful root, doesn't know your password.

Even worse, you want to email your password. Email is far from secure. It's normally just plain text sent over the Aether where anyone who's a wee bit curious can peek at it.

Method One: Allowing Users to use SSH without Knowing Your Password

Since you're using SSH, you should know that SSH has an alternate mechanism for verifying a user called Private/Public keys. It varies from system to system, but what you do is create a public/private key pair. You share your public key with the system you want to log into, but keep your private key private.

Once the remote machine has your public key, you can log into that system via ssh without knowing the password of that system.

The exact mechanism varies from machine to machine and it doesn't help that there are two different ssh protocols, so getting it to work will vary from system to system. On Linux and Macs, you generate your public/private key pair through the ssh-keygen command.

By default, ssh-keygen will produce a file called $HOME/.ssh/id_rsa.pub and $HOME/.ssh/id_rsa. The first one is your public key. You run ssh-keygen on both your machine and the machine you want to log into.

On the machine you're logging into, create a file called $HOME/.ssh/authorized_keys, and copy and paste your public key into this file. Have your friend also send you his public key, and paste that into the file too. Each public key will take up one line in the file.

If everything works, both you and your friend can use ssh to log into that remote machine without being asked for a password. This is very secure since your public key has to match your corresponding private key. If it doesn't you can't log in. That means even if other popel find your public key, they won't be able to log into that remote system.

Both you and your friend can log into that system without worrying about sharing a password.

Method Two: A Better Solution: Using SUDO

The other way to do this is to use sudo to allow your friend to act as you in certain respects. Sudo has a few advantages over actually sharing the account:

All use of SUDO is logged, so you have traceability. If something goes wrong, you know who to blame.
You can limit what people can do as SUDO. For example, your friend has to run a particular command as you, and nothing else. In this case, you can specify in the /etc/sudoers file that your friend can only run that one particular command. You can even specify if your friend can simply run the command, or require your friend to enter their password in order to run that command.

On Ubuntu Linux and on Macintoshes, the root password is locked, so you cannot log in as root. If you need to do something as root, you set yourself up as an administrator (I believe by putting yourself in the wheel group) and then using sudo to run required administrator functions.

The big disadvantage of Sudo is that it's more complex to setup and requires administrator access on the machine.

Try setting up public/private keys using SSH. It might take some tweaking to get it to work, but once it works, it's beautiful. Even better, you can run remote commands and use sep to copy files from one machine to the other -- all without the password prompt. This means that you can write shell scripts to do your work for you.

By the way, a sneaky trick is to set your remote shell to /bin/false. That way, you can't log into that system -- even using ssh, but you can run remote commands using ssh and use sep to copy files back and forth between systems.

Thanks for the lengthy answer. I always login using private/public key verification so I already have that setup. Though if someone has root access you understand it's pretty easy for them to change that situation, so it is not a safe assumption to make, that you will still have access through that. Also thanks for all the advices, but I said it is more a "it should be possible" rather than a real world scenario. I bet a lot of people might misinterpret that, so it is good that you cleared things up. — masimplo, Jul 12 '12 at 21:20
Also thanks for the /bin/false trick, didn't know that. Will keep it in mind for future setups. — masimplo, Jul 12 '12 at 21:29

score 1 · Accepted Answer · answered Apr 11 '12 at 18:23

Personal passwords are only supposed to be known by the user themselves. Not even the root user is supposed to know them, which is why they are stored encrypted. Of course, the root user has sufficient access to decrypt them, but the principle is the same.

If you are giving your "friend" access, them assign them proper privileges! Do not make them a root user, and you shouldn't be a root user either. Then you're "friend" won't have access to change your password, let along muck about in areas they aren't supposed to be in.

If you absolutely must monitor the passwd and shadow files, install iwatch. Then set it to watch the /etc/passwd and /etc/shadow files. If they change, it runs a script that decrypts the file and emails someone. If you keep a copy to diff against, you'll even know who changed. You should probably also gpg the email, so that it does not go over the internet in plain text, since it has everyone's password in it. Please note that any other users on the system will be upset by the dystopian world they find themselves in.

Just because root is the law of the land does not mean we want to be living in 1984.

I think this is the answer closest to what I was looking for, so I think I will choose this one as the correct one, not to mean any disrespect to the rest of the guys. Again this is more of a "lab test" situation rather than a real world case. The server only has one user, doing one job, passwords are randomly generated and disposable so them being compromised is not really an issue. — masimplo, Jul 12 '12 at 21:26

mega.venik · Answer 3 · 2012-04-11T18:09:59.070

-1

Try some kind of:

alias passwd='passwd && echo 'Alert! Alert! Alert!' | mail -s 'pass change' alert@example.com'

Should be enough for you:)

Another possible solutions for those, who think, that alias is too mainstream)) :

1) You could make a cron job, that will be checking your /etc/shadow file every, for example, minute, and when the file changes, it will send you an alert-email. The easiest way here, I think, will be making md5 checksum

2) You can move /usr/bin/passwd to /usr/bin/passwd.sys and make a script with /usr/bin/passwd.sys && echo 'Alert! Alert! Alert!' | mail -s 'pass change' on it's place. And yes, this way is also could be discovered be the user and scrubed round:)

edited Apr 11 '12 at 18:09

answered Apr 11 '12 at 16:31

mega.venik

648
6
13

An alias is something at anyone can change or just run passwd as `\passwd`. – jordanm Apr 11 '12 at 17:51
Of course. But it's just one of the possible solutions. You can also check the `/etc/passwd` file once, for example, a minute and send alerts when it changes. – mega.venik Apr 11 '12 at 18:01
password hashes are generally not stored in /etc/passwd. You mean /etc/shadow. – jordanm Apr 11 '12 at 18:07
This also qualifies as a possible solution in my book, but I just find iwatch to be a cleaner solution. This is totally a matter of preference though, since most people might have chosen not to install anything additional and go your way. – masimplo Jul 12 '12 at 21:28