[ubuntu-us-mi] delete user password

Wed Aug 24 01:29:30 UTC 2016

Didn't even think about sudo access. Normally we grant sudo access based on
LDAP group, not ID. So if you are in the group you don't need a password
for sudo access.

I can't find any issues with your logic, I don't think you will run into
any security issues.

Matt Reichmann
crash1krr at gmail.com

On Aug 23, 2016 9:19 PM, "Robert Citek" <robert.citek at gmail.com> wrote:

> The only reason for a password would be to use sudo.
>
> But if sudo is not needed, I can't think of any reason to have
> password. I don't use any password-based services (e.g. telnet, ftp).
>
> Regards,
> - Robert
>
> On Tue, Aug 23, 2016 at 6:08 PM, Matt Reichmann <crash1krr at gmail.com>
> wrote:
> > Would they even need a password if you had the public key and they have
> > their private key?
> >
> > I can't think of any security risks, but I will have to look in to it
> some
> > more
> >
> > Matt Reichmann
> > crash1krr at gmail.com
> >
> >
> > On Aug 23, 2016 9:01 PM, "Robert Citek" <robert.citek at gmail.com> wrote:
> >>
> >> On Ubuntu, I would like to force a user to set their own password.  So
> >> on account creation I would do this:
> >>
> >> passwd --delete ${username}
> >> chage -d 0 ${username}
> >>
> >> Are there any security risks created by running those commands, in
> >> particular, deleting the user's password?
> >>
> >> As far as I can tell, a user cannot become any user or escalate their
> >> privileges until they create a password.  Here's a sample of commands
> >> using user zfoo and zbar.
> >>
> >> Create and configure zfoo and zbar users:
> >>
> >> root at yoda:~# useradd -m zfoo
> >> root at yoda:~# useradd -m zbar
> >> root at yoda:~# passwd -d zbar
> >> passwd: password expiry information changed.
> >> root at yoda:~# grep z /etc/shadow
> >> zfoo:!:17036:0:99999:7:::
> >> zbar::17036:0:99999:7:::
> >> root at yoda:~# grep %sudo /etc/sudoers
> >> %sudo    ALL=(ALL:ALL) ALL
> >> root at yoda:~# usermod -aG sudo zbar
> >> root at yoda:~# id zbar
> >> uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
> >>
> >> Become zfoo and try to become zbar:
> >>
> >> root at yoda:~# su - zfoo
> >> zfoo at yoda:~$ su - zbar
> >> Password:
> >> su: Authentication failure
> >> zfoo at yoda:~$ exit
> >> logout
> >>
> >> Become zbar and try to become zbar:
> >>
> >> root at yoda:~# su - zbar
> >> zbar at yoda:~$ su - zbar
> >> Password:
> >> su: Authentication failure
> >>
> >> Try to run sudo as zbar:
> >>
> >> zbar at yoda:~$ sudo id
> >> [sudo] password for zbar:
> >> Sorry, try again.
> >> [sudo] password for zbar:
> >> Sorry, try again.
> >> [sudo] password for zbar:
> >> Sorry, try again.
> >> sudo: 3 incorrect password attempts
> >>
> >> Change password:
> >>
> >> zbar at yoda:~$ passwd
> >> Enter new UNIX password:
> >> Retype new UNIX password:
> >> passwd: password updated successfully
> >> zbar at yoda:~$ sudo id
> >> [sudo] password for zbar:
> >> uid=0(root) gid=0(root) groups=0(root)
> >>
> >> This is actually a really nice feature as I do not need to send any
> >> credentials to the user when I create their accounts.  I only need
> >> their public ssh key.  Then it's just a matter of creating the
> >> account, adding their public ssh key, deleting the password, and
> >> setting the password to expired. When they ssh in using their keys,
> >> they are forced to change their password, but they don't have to type
> >> in an existing password as there is none.
> >>
> >> That is, it's a nice feature as long as there are no security risks.
> Are
> >> there?
> >>
> >> Regards,
> >> - Robert
> >>
> >> --
> >> ubuntu-us-mi mailing list
> >> ubuntu-us-mi at lists.ubuntu.com
> >> Modify settings or unsubscribe at:
> >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
> >
> >
> > --
> > ubuntu-us-mi mailing list
> > ubuntu-us-mi at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
> >
>
> --
> ubuntu-us-mi mailing list
> ubuntu-us-mi at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/ubuntu-us-mi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20160823/4f6de482/attachment-0001.html>