[ubuntu-us-mi] delete user password

Robert Citek robert.citek at gmail.com
Wed Aug 24 01:43:07 UTC 2016


Ah, yes.  And that could be done with NOPASSWD as well within sudoers.

While I don't think I will run into any security issues, is there
anything documented to support my hunch?  Unfortunately, the man page
is not helpful:

$ man 5 shadow | grep -A2 "may be empty"
           This field may be empty, in which case no passwords are
required to authenticate as the specified login
           name. However, some applications which read the /etc/shadow
file may decide not to permit any access at all
           if the password field is empty.

That first sentence is troublesome.

Regards,
- Robert

On Tue, Aug 23, 2016 at 6:29 PM, Matt Reichmann <crash1krr at gmail.com> wrote:
> Didn't even think about sudo access. Normally we grant sudo access based on
> LDAP group, not ID. So if you are in the group you don't need a password for
> sudo access.
>
> I can't find any issues with your logic, I don't think you will run into any
> security issues.
>
> Matt Reichmann
> crash1krr at gmail.com
>
>
> On Aug 23, 2016 9:19 PM, "Robert Citek" <robert.citek at gmail.com> wrote:
>>
>> The only reason for a password would be to use sudo.
>>
>> But if sudo is not needed, I can't think of any reason to have
>> password. I don't use any password-based services (e.g. telnet, ftp).
>>
>> Regards,
>> - Robert
>>
>> On Tue, Aug 23, 2016 at 6:08 PM, Matt Reichmann <crash1krr at gmail.com>
>> wrote:
>> > Would they even need a password if you had the public key and they have
>> > their private key?
>> >
>> > I can't think of any security risks, but I will have to look in to it
>> > some
>> > more
>> >
>> > Matt Reichmann
>> > crash1krr at gmail.com
>> >
>> >
>> > On Aug 23, 2016 9:01 PM, "Robert Citek" <robert.citek at gmail.com> wrote:
>> >>
>> >> On Ubuntu, I would like to force a user to set their own password.  So
>> >> on account creation I would do this:
>> >>
>> >> passwd --delete ${username}
>> >> chage -d 0 ${username}
>> >>
>> >> Are there any security risks created by running those commands, in
>> >> particular, deleting the user's password?
>> >>
>> >> As far as I can tell, a user cannot become any user or escalate their
>> >> privileges until they create a password.  Here's a sample of commands
>> >> using user zfoo and zbar.
>> >>
>> >> Create and configure zfoo and zbar users:
>> >>
>> >> root at yoda:~# useradd -m zfoo
>> >> root at yoda:~# useradd -m zbar
>> >> root at yoda:~# passwd -d zbar
>> >> passwd: password expiry information changed.
>> >> root at yoda:~# grep z /etc/shadow
>> >> zfoo:!:17036:0:99999:7:::
>> >> zbar::17036:0:99999:7:::
>> >> root at yoda:~# grep %sudo /etc/sudoers
>> >> %sudo    ALL=(ALL:ALL) ALL
>> >> root at yoda:~# usermod -aG sudo zbar
>> >> root at yoda:~# id zbar
>> >> uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
>> >>
>> >> Become zfoo and try to become zbar:
>> >>
>> >> root at yoda:~# su - zfoo
>> >> zfoo at yoda:~$ su - zbar
>> >> Password:
>> >> su: Authentication failure
>> >> zfoo at yoda:~$ exit
>> >> logout
>> >>
>> >> Become zbar and try to become zbar:
>> >>
>> >> root at yoda:~# su - zbar
>> >> zbar at yoda:~$ su - zbar
>> >> Password:
>> >> su: Authentication failure
>> >>
>> >> Try to run sudo as zbar:
>> >>
>> >> zbar at yoda:~$ sudo id
>> >> [sudo] password for zbar:
>> >> Sorry, try again.
>> >> [sudo] password for zbar:
>> >> Sorry, try again.
>> >> [sudo] password for zbar:
>> >> Sorry, try again.
>> >> sudo: 3 incorrect password attempts
>> >>
>> >> Change password:
>> >>
>> >> zbar at yoda:~$ passwd
>> >> Enter new UNIX password:
>> >> Retype new UNIX password:
>> >> passwd: password updated successfully
>> >> zbar at yoda:~$ sudo id
>> >> [sudo] password for zbar:
>> >> uid=0(root) gid=0(root) groups=0(root)
>> >>
>> >> This is actually a really nice feature as I do not need to send any
>> >> credentials to the user when I create their accounts.  I only need
>> >> their public ssh key.  Then it's just a matter of creating the
>> >> account, adding their public ssh key, deleting the password, and
>> >> setting the password to expired. When they ssh in using their keys,
>> >> they are forced to change their password, but they don't have to type
>> >> in an existing password as there is none.
>> >>
>> >> That is, it's a nice feature as long as there are no security risks.
>> >> Are
>> >> there?
>> >>
>> >> Regards,
>> >> - Robert
>> >>
>> >> --
>> >> ubuntu-us-mi mailing list
>> >> ubuntu-us-mi at lists.ubuntu.com
>> >> Modify settings or unsubscribe at:
>> >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
>> >
>> >
>> > --
>> > ubuntu-us-mi mailing list
>> > ubuntu-us-mi at lists.ubuntu.com
>> > Modify settings or unsubscribe at:
>> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
>> >
>>
>> --
>> ubuntu-us-mi mailing list
>> ubuntu-us-mi at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
>
>
> --
> ubuntu-us-mi mailing list
> ubuntu-us-mi at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
>



More information about the ubuntu-us-mi mailing list