Avoid changing password

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
some users on my Linux systems must not change their password.
The system is a RedHat EL3 with pam 0.75.
My idea is /etc/nopasswd as list of such users.
I try this, the first line in pam.d/passwd:
auth       requisite    pam_listfile.so onerr=fail item=user sense=deny
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

This is /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

But a user in /etc/nopasswd is still able to call passwd and change
it's own password.

If the list of these users can be expanded to everyone but root, should
be simpler to remove exec bit for everyone from /usr/bin/passwd
(-r-s--x--x)? Or, more, changing its group to a one of allowed users?



Re: Avoid changing password

Quoted text here. Click to load it

Weird. Usually people want users to change their passwords. Is this because
you want to share their passwords around? Bad idea.  Maybe if you told us
what you want to accomplish by this strange idea we could give better ways
of accomplishing it.

If the below is an accurate reflection of what is in the pam files, it is a
mess-- totally inappropriate line breaks. If it is a posting error, plse
make sure what you post is an accurate reflection of what is in those
files, or help will be very hard to get.
And what is "requisite" supposed to mean? Did you mean "required"

Also you said that that list was required for authentication. Not for

Quoted text here. Click to load it

Re: Avoid changing password

Unruh writes:

Quoted text here. Click to load it

Yes I know. It's bad, weird, scrap ... but it's not my choice.

"... It wasn't my fault ..." (The Blues Brothers).

The systems are offline and the password shared between users, the same
account is used by more people, and for this reason I need to deny
password changes. Sorry.
Please, don't speculate about the reasons for this.

Quoted text here. Click to load it

Yes it was a posting error. I cut and paste but didn't pay too much
attention later.
The first line is the only I add to the Red Hat EL3 defaults.
I don't know anything about PAM, it's my first attempt after starting
reading about since today.

I'll provide a new post with correct line breaks next time I access one
of those systems.

Quoted text here. Click to load it

As I understood, "required" wants all modules get processed and all of
them returning ok.
"requisite" is the same, but if a module fails, the succeeding are not
Is this right? It should be like having or not logical shortcuts in C
expression like a & b & c & ... .

Quoted text here. Click to load it

Well.. as I understood, in /usr/bin/passwd, auth plays the role to ask
the first password. For this, I thought to block the auth step at
first, without going on asking new password.

But a non-PAM solution, if exists, would be appreciated too ...

Thanks again.

Re: Avoid changing password

Quoted text here. Click to load it

I am not speculating I am trying to see if suggestions can be made to
imporve the situation.

a) many users can share a uid. Each can have their own password. This would
make them all equivalent as far as the system is concerned but they could
have their own passwords which they may be able to better memorize. The
main problem is that of course that account is then only as strong as the
weakest password. But with people sharing the password that is not a
problem, since the insecurity elsewhere is far greater.

b) have people log on as themselves using their own account and password.
Then they ssh into the common account using rsa/dsa public key access.

Quoted text here. Click to load it

I have never seen the requisite command. And have not seen it looking
through the pam documentation.

Quoted text here. Click to load it

You could always just remove passwd ( or make it useable only by root) or
make it runable only by a group which does not include the accounts in


passwdallow:*: able,baker,eddy,gamma
and chgrp passwdallow /bin/passwd
chmod o-rwx /bin/passwd

Re: Avoid changing password

Quoted text here. Click to load it

From the pam.conf man page:

: For  the simple (historical) syntax valid control values are: requisite
: - failure of such a PAM results in the  immediate  termination  of  the
: authentication  process;  required  -  failure of such a PAM will ulti-
: mately lead to the PAM-API returning failure but only after the remain-
: ing stacked modules (for this service and type) have been invoked; suf-
: ficient - success of such a module is enough to satisfy the authentica-
: tion  requirements  of the stack of modules (if a prior required module
: has failed the success of this one is ignored); optional - the  success
: or failure of this module is only important if it is the only module in
: the stack associated with this service+type.

Rod Smith, rodsmith@rodsbooks.com
Author of books on Linux, FreeBSD, and networking

Re: Avoid changing password

rodsmith@nessus.rodsbooks.com (Rod Smith) writes:

Thanks. Learn something new every day.

Quoted text here. Click to load it

Re: Avoid changing password

:some users on my Linux systems must not change their password.
:The system is a RedHat EL3 with pam 0.75.

From `man passwd`:

    -n     This  will  set  the  minimum  password  lifetime, in days,
           if the user's account supports password lifetimes.
           Available to root only.

Setting the minimum interval for password changes to a very large number
should accomplish what you want.

Bob Nichols         AT comcast.net I am "RNichols42"

Re: Avoid changing password

int wrote:
Quoted text here. Click to load it

# chage -m 99999 -M 99999 -d 2038-01-17 login
Theoretically that should defer the problem beyond the year 2311,
but other interesting things may happen before that (like in 2038 ...
but hopefully those issues will all have been dealt with by then).

Re: Avoid changing password. Thanks

I answer here to the posts from Unruh, Robert Nichols and Michael


Unruh writes:
Quoted text here. Click to load it

Thanks for the suggestions. But the systems are no longer in dev phase,
so this kind of changes are forbidden. Password policy is so weak
because these system users are not personal accounts, only a sort
of "operative" users.
Regarding ssh, I'm using ssh with public key auth on these users,
and it save me a lot of time for maintenance.

Quoted text here. Click to load it

Yes, this was one of my idea at being, that was in my first post.

But I choose for Robert and Michael suggestions. Thank you.

Michael Paoli writes:
Quoted text here. Click to load it

The more interesting thing is that these systems should work for less
than 20 years from now on. The 2038 problem sholud not affect.
But if there is a way to delay a problem for so long, would make easier
a contract renewal for the next 305 years. I'll talk to my boss ... :-)


Site Timeline