[Pkg-shadow-devel] Bug#396726: chpasswd does not update opasswd
Brian Ristuccia
brian at ristuccia.com
Mon Nov 6 18:09:59 CET 2006
On Mon, Nov 06, 2006 at 05:07:31PM +0100, Nicolas Fran?ois wrote:
>
> I recommend you to set users' password by root to a simple password that
> can be communicated to the user, but also tag the password as expired, so
> that the user have to choose a new password the next time he login (and
> then the new password will be enterred to /etc/security/opasswd; also the
> administrator do not have to know the users' passwords).
>
In that case, only the temporary password is written into opasswd. The
user's previous password (before it was changed by root to the temporary
one) is not stored in opasswd and nothing prevents the user from changing
their password back to that value.
Imagine a scenareo where an administrator finds out that one or more account
passwords may have been disclosed to unauthorized persons. Not knowing
exactly which accounts have been compromised, the administrator takes
various preventive steps including assigning everyone a new temporary random
password and marking it expired. Simply marking the compromised password
expired is not enough, an unauthorized user could complete the password
change procedure and take control of the account. The temporary passwords
are hand delivered to the affected users. Unless the password hash from
before the temporary password assignment is copied into opasswd, users who
decide to violate the password policy can simply change their password back
to the previous (compromised) value.
--
Brian Ristuccia
brian at ristuccia.com
More information about the Pkg-shadow-devel
mailing list