Ubuntu: Make the root the only one able to change the passwords of all other users



Question:

For security purpose, I want only the root to change passwords for all the other users. This will be achieved if I set /usr/bin/passwd to 700. Now, if password ageing is enabled or first login is enabled, when a user logs in with successful or expired password, they are requested to chose a new password, which I want to disable.

OUTPUT:

login as: test  Using keyboard-interactive authentication.  Password:  Using keyboard-interactive authentication.  Password change requested. Choose a new password.  Enter current password:  

Expected Outout:

login as: test  Using keyboard-interactive authentication.  Password:  Using keyboard-interactive authentication.  Your password has expired. Please contact root to change your password.  

I want any work around to achieve this.


Solution:1

There is an option for that:

passwd -n MIN <login-name>  

will disallow from changing the password for MIN days.

From man passwd

 -n, --mindays MIN_DAYS         Set the minimum number of days between password changes to MIN_DAYS. A         value of zero for this field indicates that the user may change his/her         password at any time.  

Put it on 9999 and you are set for 27 years.


Though not documented it seems -1 works as a value too. As this is often a method to disable something permanently I would assume it will do the same here. Example using -1:

~$ sudo passwd -n -1 rinzwind  passwd: password expiry information changed.  ~$ passwd rinzwind  Changing password for rinzwind.  (current) UNIX password:   Enter new UNIX password:   Retype new UNIX password:   Password unchanged  Enter new UNIX password:   Retype new UNIX password:   Password unchanged  Enter new UNIX password:   

Password is asked but never changed.

For security purpose, I want only the root to change passwords for all the other users.

You deciding what the passwords are is going to create a security risk. Let us assume you pick a random password with numbers, letters, at least a special character, maybe a capital. Like Gsi^771H. Those passwords are very very very hard to remember and your users are going to write them down. On a paper, in a text file or even worse and save them in gmail as a concept.

The best passwords are sentences a user can remember and those can be very long. A password like "lastyeariwenttolondonformyholiday" is far superior over anything you can enforce even though it lacks numbers, capital letters or special characters. That user will remember it since it is related to something he did and it will be very hard to brute force. Only thing he has to do is visit London for his holiday every year from now on ;)

Educate your users and let them pick their own password. If you need to make sure their password is good explain to them you want to set it together with them. You can however create rules on password: if you set a rule that the password needs to be 15 characters and tell them that this is the case so they pick a sentences instead of random letters they will understand and hopefully agree.

Or ...

enter image description here


Solution:2

You could use PAM. In the file /etc/pam.d/common-password:

password optional pam_echo.so Only root can change passwords...  password sufficient pam_rootok  password required pam_deny.so  

When you run the passwd command:

user@ubuntu1510:~$ passwd  Only root can change passwords...  Changing password for user.  (current) UNIX password:   passwd: Authentication token manipulation error  passwd: password unchanged  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »