[ubuntu-us-mi] delete user password

Matt Reichmann crash1krr at gmail.com
Wed Aug 24 01:08:48 UTC 2016 

Would they even need a password if you had the public key and they have
their private key?

I can't think of any security risks, but I will have to look in to it some
more

Matt Reichmann
crash1krr at gmail.com

On Aug 23, 2016 9:01 PM, "Robert Citek" <robert.citek at gmail.com> wrote:

> On Ubuntu, I would like to force a user to set their own password.  So
> on account creation I would do this:
>
> passwd --delete ${username}
> chage -d 0 ${username}
>
> Are there any security risks created by running those commands, in
> particular, deleting the user's password?
>
> As far as I can tell, a user cannot become any user or escalate their
> privileges until they create a password.  Here's a sample of commands
> using user zfoo and zbar.
>
> Create and configure zfoo and zbar users:
>
> root at yoda:~# useradd -m zfoo
> root at yoda:~# useradd -m zbar
> root at yoda:~# passwd -d zbar
> passwd: password expiry information changed.
> root at yoda:~# grep z /etc/shadow
> zfoo:!:17036:0:99999:7:::
> zbar::17036:0:99999:7:::
> root at yoda:~# grep %sudo /etc/sudoers
> %sudo    ALL=(ALL:ALL) ALL
> root at yoda:~# usermod -aG sudo zbar
> root at yoda:~# id zbar
> uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
>
> Become zfoo and try to become zbar:
>
> root at yoda:~# su - zfoo
> zfoo at yoda:~$ su - zbar
> Password:
> su: Authentication failure
> zfoo at yoda:~$ exit
> logout
>
> Become zbar and try to become zbar:
>
> root at yoda:~# su - zbar
> zbar at yoda:~$ su - zbar
> Password:
> su: Authentication failure
>
> Try to run sudo as zbar:
>
> zbar at yoda:~$ sudo id
> [sudo] password for zbar:
> Sorry, try again.
> [sudo] password for zbar:
> Sorry, try again.
> [sudo] password for zbar:
> Sorry, try again.
> sudo: 3 incorrect password attempts
>
> Change password:
>
> zbar at yoda:~$ passwd
> Enter new UNIX password:
> Retype new UNIX password:
> passwd: password updated successfully
> zbar at yoda:~$ sudo id
> [sudo] password for zbar:
> uid=0(root) gid=0(root) groups=0(root)
>
> This is actually a really nice feature as I do not need to send any
> credentials to the user when I create their accounts.  I only need
> their public ssh key.  Then it's just a matter of creating the
> account, adding their public ssh key, deleting the password, and
> setting the password to expired. When they ssh in using their keys,
> they are forced to change their password, but they don't have to type
> in an existing password as there is none.
>
> That is, it's a nice feature as long as there are no security risks.  Are
> there?
>
> Regards,
> - Robert
>
> --
> ubuntu-us-mi mailing list
> ubuntu-us-mi at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/ubuntu-us-mi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20160823/54667bbf/attachment.html>

More information about the ubuntu-us-mi mailing list