Make the root the only one able to change the passwords of all other users

command-line password permissions login

For security purpose, I want only the root to change passwords for all the other users. This will be achieved if I set /usr/bin/passwd to 700. Now, if password ageing is enabled or first login is enabled, when a user logs in with successful or expired password, they are requested to chose a new password, which I want to disable.

OUTPUT:

login as: test
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Enter current password:

Expected Outout:

login as: test
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Your password has expired. Please contact root to change your password.

I want any work around to achieve this.


There is an option for that: 

passwd -n MIN <login-name>

will disallow from changing the password for MIN days.

From man passwd

 -n, --mindays MIN_DAYS
       Set the minimum number of days between password changes to MIN_DAYS. A
       value of zero for this field indicates that the user may change his/her
       password at any time.

Put it on 9999 and you are set for 27 years.

Though not documented it seems -1 works as a value too. As this is often a method to disable something permanently I would assume it will do the same here. Example using -1: 

~$ sudo passwd -n -1 rinzwind
passwd: password expiry information changed.
~$ passwd rinzwind
Changing password for rinzwind.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
Password unchanged
Enter new UNIX password: 
Retype new UNIX password: 
Password unchanged
Enter new UNIX password:

Password is asked but never changed.

For security purpose, I want only the root to change passwords for all the other users.

You deciding what the passwords are is going to create a security risk. Let us assume you pick a random password with numbers, letters, at least a special character, maybe a capital. Like Gsi^771H. Those passwords are very very very hard to remember and your users are going to write them down. On a paper, in a text file or even worse and save them in gmail as a concept.

The best passwords are sentences a user can remember and those can be very long. A password like "lastyeariwenttolondonformyholiday" is far superior over anything you can enforce even though it lacks numbers, capital letters or special characters. That user will remember it since it is related to something he did and it will be very hard to brute force. Only thing he has to do is visit London for his holiday every year from now on ;)

Educate your users and let them pick their own password. If you need to make sure their password is good explain to them you want to set it together with them. You can however create rules on password: if you set a rule that the password needs to be 15 characters and tell them that this is the case so they pick a sentences instead of random letters they will understand and hopefully agree.

Or ...

enter image description here

Related

PHP mysqli extension in Ubuntu 16.04 not working after upgrade to version 7.0.6
How to use mv command to move only selected files? [duplicate]
Is there any image editing software that can open Microsoft DirectDraw Surface files in Ubuntu?
Are all OpenPGP public key server equal?
Search for text in a file, then rename the file with that text
Why can I only sometimes merge small dragon chests?
How to allow play multiply games from one steam account? [closed]
Will a 3ds be fine if a cartridge is removed while it is running?
Does Genji get ult from healing?
Does buying from the spider bake sale end a Genocide run?
Sound glitches when I pull out my sword
Worried about my sapling