Make the root the only one able to change the passwords of all other users
For security purpose, I want only the root to change passwords for all the other users. This will be achieved if I set /usr/bin/passwd to 700. Now, if password ageing is enabled or first login is enabled, when a user logs in with successful or expired password, they are requested to chose a new password, which I want to disable.
OUTPUT:
login as: test
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Enter current password:
Expected Outout:
login as: test
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Your password has expired. Please contact root to change your password.
I want any work around to achieve this.
There is an option for that:
passwd -n MIN <login-name>
will disallow from changing the password for MIN days.
From man passwd
-n, --mindays MIN_DAYS
Set the minimum number of days between password changes to MIN_DAYS. A
value of zero for this field indicates that the user may change his/her
password at any time.
Put it on 9999 and you are set for 27 years.
Though not documented it seems -1
works as a value too. As this is often a method to disable something permanently I would assume it will do the same here. Example using -1
:
~$ sudo passwd -n -1 rinzwind
passwd: password expiry information changed.
~$ passwd rinzwind
Changing password for rinzwind.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
Password unchanged
Enter new UNIX password:
Retype new UNIX password:
Password unchanged
Enter new UNIX password:
Password is asked but never changed.
For security purpose, I want only the root to change passwords for all the other users.
You deciding what the passwords are is going to create a security risk. Let us assume you pick a random password with numbers, letters, at least a special character, maybe a capital. Like Gsi^771H. Those passwords are very very very hard to remember and your users are going to write them down. On a paper, in a text file or even worse and save them in gmail as a concept.
The best passwords are sentences a user can remember and those can be very long. A password like "lastyeariwenttolondonformyholiday" is far superior over anything you can enforce even though it lacks numbers, capital letters or special characters. That user will remember it since it is related to something he did and it will be very hard to brute force. Only thing he has to do is visit London for his holiday every year from now on ;)
Educate your users and let them pick their own password. If you need to make sure their password is good explain to them you want to set it together with them. You can however create rules on password: if you set a rule that the password needs to be 15 characters and tell them that this is the case so they pick a sentences instead of random letters they will understand and hopefully agree.
Or ...