Discussion:
[ubuntu-us-mi] delete user password
Robert Citek
2016-08-24 01:01:23 UTC
Permalink
On Ubuntu, I would like to force a user to set their own password. So
on account creation I would do this:

passwd --delete ${username}
chage -d 0 ${username}

Are there any security risks created by running those commands, in
particular, deleting the user's password?

As far as I can tell, a user cannot become any user or escalate their
privileges until they create a password. Here's a sample of commands
using user zfoo and zbar.

Create and configure zfoo and zbar users:

***@yoda:~# useradd -m zfoo
***@yoda:~# useradd -m zbar
***@yoda:~# passwd -d zbar
passwd: password expiry information changed.
***@yoda:~# grep z /etc/shadow
zfoo:!:17036:0:99999:7:::
zbar::17036:0:99999:7:::
***@yoda:~# grep %sudo /etc/sudoers
%sudo ALL=(ALL:ALL) ALL
***@yoda:~# usermod -aG sudo zbar
***@yoda:~# id zbar
uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)

Become zfoo and try to become zbar:

***@yoda:~# su - zfoo
***@yoda:~$ su - zbar
Password:
su: Authentication failure
***@yoda:~$ exit
logout

Become zbar and try to become zbar:

***@yoda:~# su - zbar
***@yoda:~$ su - zbar
Password:
su: Authentication failure

Try to run sudo as zbar:

***@yoda:~$ sudo id
[sudo] password for zbar:
Sorry, try again.
[sudo] password for zbar:
Sorry, try again.
[sudo] password for zbar:
Sorry, try again.
sudo: 3 incorrect password attempts

Change password:

***@yoda:~$ passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
***@yoda:~$ sudo id
[sudo] password for zbar:
uid=0(root) gid=0(root) groups=0(root)

This is actually a really nice feature as I do not need to send any
credentials to the user when I create their accounts. I only need
their public ssh key. Then it's just a matter of creating the
account, adding their public ssh key, deleting the password, and
setting the password to expired. When they ssh in using their keys,
they are forced to change their password, but they don't have to type
in an existing password as there is none.

That is, it's a nice feature as long as there are no security risks. Are there?

Regards,
- Robert
--
ubuntu-us-mi mailing list
ubuntu-us-***@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
Matt Reichmann
2016-08-24 01:08:48 UTC
Permalink
Would they even need a password if you had the public key and they have
their private key?

I can't think of any security risks, but I will have to look in to it some
more

Matt Reichmann
Post by Robert Citek
On Ubuntu, I would like to force a user to set their own password. So
passwd --delete ${username}
chage -d 0 ${username}
Are there any security risks created by running those commands, in
particular, deleting the user's password?
As far as I can tell, a user cannot become any user or escalate their
privileges until they create a password. Here's a sample of commands
using user zfoo and zbar.
passwd: password expiry information changed.
%sudo ALL=(ALL:ALL) ALL
uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
su: Authentication failure
logout
su: Authentication failure
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
passwd: password updated successfully
uid=0(root) gid=0(root) groups=0(root)
This is actually a really nice feature as I do not need to send any
credentials to the user when I create their accounts. I only need
their public ssh key. Then it's just a matter of creating the
account, adding their public ssh key, deleting the password, and
setting the password to expired. When they ssh in using their keys,
they are forced to change their password, but they don't have to type
in an existing password as there is none.
That is, it's a nice feature as long as there are no security risks. Are there?
Regards,
- Robert
--
ubuntu-us-mi mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/
mailman/listinfo/ubuntu-us-mi
Robert Citek
2016-08-24 01:19:33 UTC
Permalink
The only reason for a password would be to use sudo.

But if sudo is not needed, I can't think of any reason to have
password. I don't use any password-based services (e.g. telnet, ftp).

Regards,
- Robert
Post by Matt Reichmann
Would they even need a password if you had the public key and they have
their private key?
I can't think of any security risks, but I will have to look in to it some
more
Matt Reichmann
Post by Robert Citek
On Ubuntu, I would like to force a user to set their own password. So
passwd --delete ${username}
chage -d 0 ${username}
Are there any security risks created by running those commands, in
particular, deleting the user's password?
As far as I can tell, a user cannot become any user or escalate their
privileges until they create a password. Here's a sample of commands
using user zfoo and zbar.
passwd: password expiry information changed.
%sudo ALL=(ALL:ALL) ALL
uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
su: Authentication failure
logout
su: Authentication failure
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
passwd: password updated successfully
uid=0(root) gid=0(root) groups=0(root)
This is actually a really nice feature as I do not need to send any
credentials to the user when I create their accounts. I only need
their public ssh key. Then it's just a matter of creating the
account, adding their public ssh key, deleting the password, and
setting the password to expired. When they ssh in using their keys,
they are forced to change their password, but they don't have to type
in an existing password as there is none.
That is, it's a nice feature as long as there are no security risks. Are there?
Regards,
- Robert
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
ubuntu-us-***@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
Matt Reichmann
2016-08-24 01:29:30 UTC
Permalink
Didn't even think about sudo access. Normally we grant sudo access based on
LDAP group, not ID. So if you are in the group you don't need a password
for sudo access.

I can't find any issues with your logic, I don't think you will run into
any security issues.

Matt Reichmann
Post by Robert Citek
The only reason for a password would be to use sudo.
But if sudo is not needed, I can't think of any reason to have
password. I don't use any password-based services (e.g. telnet, ftp).
Regards,
- Robert
Post by Matt Reichmann
Would they even need a password if you had the public key and they have
their private key?
I can't think of any security risks, but I will have to look in to it
some
Post by Matt Reichmann
more
Matt Reichmann
Post by Robert Citek
On Ubuntu, I would like to force a user to set their own password. So
passwd --delete ${username}
chage -d 0 ${username}
Are there any security risks created by running those commands, in
particular, deleting the user's password?
As far as I can tell, a user cannot become any user or escalate their
privileges until they create a password. Here's a sample of commands
using user zfoo and zbar.
passwd: password expiry information changed.
%sudo ALL=(ALL:ALL) ALL
uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
su: Authentication failure
logout
su: Authentication failure
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
passwd: password updated successfully
uid=0(root) gid=0(root) groups=0(root)
This is actually a really nice feature as I do not need to send any
credentials to the user when I create their accounts. I only need
their public ssh key. Then it's just a matter of creating the
account, adding their public ssh key, deleting the password, and
setting the password to expired. When they ssh in using their keys,
they are forced to change their password, but they don't have to type
in an existing password as there is none.
That is, it's a nice feature as long as there are no security risks.
Are
Post by Matt Reichmann
Post by Robert Citek
there?
Regards,
- Robert
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/
mailman/listinfo/ubuntu-us-mi
Robert Citek
2016-08-24 01:43:07 UTC
Permalink
Ah, yes. And that could be done with NOPASSWD as well within sudoers.

While I don't think I will run into any security issues, is there
anything documented to support my hunch? Unfortunately, the man page
is not helpful:

$ man 5 shadow | grep -A2 "may be empty"
This field may be empty, in which case no passwords are
required to authenticate as the specified login
name. However, some applications which read the /etc/shadow
file may decide not to permit any access at all
if the password field is empty.

That first sentence is troublesome.

Regards,
- Robert
Post by Matt Reichmann
Didn't even think about sudo access. Normally we grant sudo access based on
LDAP group, not ID. So if you are in the group you don't need a password for
sudo access.
I can't find any issues with your logic, I don't think you will run into any
security issues.
Matt Reichmann
Post by Robert Citek
The only reason for a password would be to use sudo.
But if sudo is not needed, I can't think of any reason to have
password. I don't use any password-based services (e.g. telnet, ftp).
Regards,
- Robert
Post by Matt Reichmann
Would they even need a password if you had the public key and they have
their private key?
I can't think of any security risks, but I will have to look in to it some
more
Matt Reichmann
Post by Robert Citek
On Ubuntu, I would like to force a user to set their own password. So
passwd --delete ${username}
chage -d 0 ${username}
Are there any security risks created by running those commands, in
particular, deleting the user's password?
As far as I can tell, a user cannot become any user or escalate their
privileges until they create a password. Here's a sample of commands
using user zfoo and zbar.
passwd: password expiry information changed.
%sudo ALL=(ALL:ALL) ALL
uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo)
su: Authentication failure
logout
su: Authentication failure
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
passwd: password updated successfully
uid=0(root) gid=0(root) groups=0(root)
This is actually a really nice feature as I do not need to send any
credentials to the user when I create their accounts. I only need
their public ssh key. Then it's just a matter of creating the
account, adding their public ssh key, deleting the password, and
setting the password to expired. When they ssh in using their keys,
they are forced to change their password, but they don't have to type
in an existing password as there is none.
That is, it's a nice feature as long as there are no security risks.
Are
there?
Regards,
- Robert
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
ubuntu-us-***@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
Loading...