| View previous topic :: View next topic |
| Author |
Message |
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
 Posted: Fri Apr 22, 2005 9:45 pm Post subject: Allow SCP/SFTP user to change password |
 |
|
My situation: I finally have a SFTP server running for several users. Each user has it's own chrooted home directory, and all users have 'scponly' as shell so they can't login via SSH, but they can do SFTP/SCP. What I want is that each user can change his own password as he likes. Since they can't execute commands on the server, I came up with the following idea:
I create a file 'password' in each user's chroot that is editable by the user. The user could write his new password (perhaps twice) into this file and save it. I'd then need a little script that checks this file either when the user logs out or every few minutes (via cron) and uses the passwd command to set the new password for the user in the regular /etc/shadow file on the server.
I'm wondering, is this a 'good' solution (I'm afraid it's not  ), is it safe (the passwd is stored in cleartext in this file) and - how could I do this better?
Tom |
|
| Back to top |
|
 |
nahpets
Veteran
Joined: 05 Oct 2003
Posts: 1178
Location: Montreal, Canada
|
| Posted: Fri Apr 22, 2005 10:04 pm Post subject: |
|
|
Just an idea here...
What about setting up a common SSH account called "scppw" or something that starts a script which will execute passwd for the user's account.
I'm not sure how to set it up, but I know you can make a login script to do that because I've seen it done. |
|
| Back to top |
|
|
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
| Posted: Fri Apr 22, 2005 11:23 pm Post subject: |
|
|
Um, I don't exactly know what you mean. Do you mean should use one account for all my sftp users? Or an extra account that allows them to change their password somehow? Could you explain a little more please?
Tom |
|
| Back to top |
|
|
nahpets
Veteran
Joined: 05 Oct 2003
Posts: 1178
Location: Montreal, Canada
|
| Posted: Sat Apr 23, 2005 3:18 am Post subject: |
|
|
I just tried it and got it working like so:
Step 1
- Created a user called "sshpw" with a password "sshpw".
- Set the shell for user "sshpw" as "/bin/bash".
Step 2
- append the following 2 lines to then end of "/home/sshpw/bashrc"
Step 3
- Wrote the "sshpw.sh" script that changes a user's password via "sudo".
| Code: |
#!/bin/bash
echo
echo -n "Enter your login name and press [ENTER]: "
read NAME
echo
sudo -u ${NAME} passwd
|
Step 4
- created a user called "sftpuser" with "/bin/false" as the shell.
- Started SSH on my machine.
- Tried logging in with ssh:
| Code: |
$ ssh -l sshpw localhost
Password:
Last login: Fri Apr 22 22:59:12 2005 from localhost
Enter your login name and press [ENTER]: sftpuser
Password:
Changing password for sftpuser
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Connection to localhost closed.
|
Notes
- You need to look at the "sudo" docs to set things up properly.
- The first time a user executes sudo, he gets prompted for his password, hence the 2 password prompts in the above output.
- You can make things more secure by adding restrictions the the "sshpw" account.
- I think there's a way to skip bash entirely and execute the script directly. Try searching the forums.
- Of course, you probably should make the bash script more robust and informative so that the user knows what's going on.
EDIT
Another way is to change the login shell for each user to "/bin/passwd". You'll need to add "/bin/passwd" to "/etc/shells" for this to work. I only got this half-working because I can use it via "su sftpuser", but not through ssh. There may be some ssh configuration options there. |
|
| Back to top |
|
|
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
| Posted: Sat Apr 23, 2005 10:31 am Post subject: |
|
|
Hi,
thanks for your how-to, I'll definitely try this. Couldn't I just use the sshpw.sh (your custom scrit) as the user's shell? All SFTP users have 'scponlyc' as shell, which is a restricted shell only for use with SCP/SFTP and which chroots the user. But this other password-changing user could have sshpw.sh as shell probably...
Thanks a lot!
Tom |
|
| Back to top |
|
|
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
| Posted: Sat Apr 23, 2005 10:56 am Post subject: |
|
|
Wow thank you so much! It works like a charm! I've set this little pw-change script as the shell and this indeed works perfectly. I was thinking that I could basically use this for any type of user, I now have a script called "change-ssh-pw.sh' but I could also create a scrit 'change-mail-pw.sh' so that my pop/imap users would be abe to easily change their password on their own.
One question though: I had sudo setup for root only, so I also had to set it up for this pw-change user. I have this line in /etc/sudoers:
changepw ALL=(ALL) ALL
How would I have to modiy this line so that this user can only execute passwd? Um I just found out I don't need the password-change-user in sudoers, I need all users that might change their password with this script in sudoers. They are all in the group 'users' so how would I have to setup /etc/sudoers that all users of a certain group can execue passwd?
Tom |
|
| Back to top |
|
|
nahpets
Veteran
Joined: 05 Oct 2003
Posts: 1178
Location: Montreal, Canada
|
| Posted: Sun Apr 24, 2005 6:04 am Post subject: |
|
|
Glad I can help.
| Quote: |
Couldn't I just use the sshpw.sh (your custom scrit) as the user's shell? All SFTP users have 'scponlyc' as shell, which is a restricted shell only for use with SCP/SFTP and which chroots the user. But this other password-changing user could have sshpw.sh as shell probably...
|
You can set the shell to "/bin/passwd" instead... Like I said though, I got it to work when doing "su sshpw" but not when I tried logging in with "ssh". I was getting PAM related messages in my logfiles. You can do some digging...
If you want to stick with SUDO, I'd make a group called "ssh" or something and set it up in "/etc/sudoers" so that only "passwd" can be executed by that group. Then add everybody who uses ssh to that group.
Also, to add some security, you can set the shell for "sshpw" to be restricted. ie. /bin/rbash instead of /bin/bash.
EDIT
I was able to get it to work for a user through ssh (don't know why it suddenly started working). Here's what I did:
1. create user "sftpuser"
2. Set "/bin/passwd" as the shell for "sftpuser"
3. add "/bin/passwd" to "/etc/shells"
4. start sshd "/etc/init.d/sshd start"
5. ssh -l sftpuser localhost
| Code: |
$ ssh -l sftpuser localhost
Password:
Last login: Sun Apr 24 02:14:32 2005 from localhost
Changing password for sftpuser
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Connection to localhost closed.
|
As you can see, you have quite a few options here. You can set anything you want to be your login shell. I read somewhere that a guy set up a simple ncurses program to be his shell. |
|
| Back to top |
|
|
|
Networking & Security
