How to set Solaris box to prompt for current password before changing pwd
[202 byte] By [AH-] at [2007-11-26 7:46:01] 
At the normal shell prompt (root)I would like to set the solaris server to prompt for the current password before asking for new password, if need to change, eventhough already logged-in as root.
# 1
One of the beauties of the root account is that it can do pretty much anything without being prompted for extra authentication. Thats why you should protect with extreem paranoia!
If you have user admin tasks such as password resets that you need to allocate to semi privilaged staff (such as level 1 helpdesk) you may want to look at using Role Based Access Control. From version 8 (I think) solaris has shipped with RBAC profiles built in. There's one for password resets called "User Security".
So if you had a level helpdesk operator called "philton" who was allowed to reset passwords but you didn't really want her to do much else you would assign her the "User Security" profile ...
usermod -p "User Security" philton
Then if "philton" gets a call to reset "nrichie"'s password she just types:
pfexec /usr/bin/passwd nrichie
and she'll be prompted with:
New Password:
I hope this helps, let me know if you want me to help with how to audit this type of operation as well. There's plenty of goodies built in ;-)h
discostu at 2007-7-6 19:58:35 >
# 2
Unless you have a very small number of users, and know all their passwords, you really don't want to do this. But, why would you want to know everyone's password? You already have root, and don't need them.timevans at 2007-7-6 19:58:35 >
# 3
Let me make sure I understand the question first...
You are logged in as root.
You are changing the passwd for user doej
You type:
# passwd doej
...and you want to be asked?
doej's current passwd ?
or
root's current passwd ?
Unless there's some detail you are leaving out, and there's something more to just "double checking", I'd have to go with the previous 2 posts.
If it is the user' s passwd you want to be prompted for, you'd need to know every user's passwd, which you don't need to know because you are root and you can have access to anything of theirs.
If it is root's passwd you want to be prompted for, you are already logged in as root. Doesn't make sense that you'd ask for authentication from root; it's like asking permission from yourself.
Why don't you explain the situation or what you are trying to accomplish/prevent? Maybe someone can come up with something better if we know the scope of what you are trying to accomplish.
Codename47 at 2007-7-6 19:58:35 >
# 4
Hi, sorry for some missing information. I am logged in as root via another application which actually does the log-in as root with system, which means I actually login to this application and this application that maintains the root password itself will handle the password entry with the system. Once I logged-in to this application, I will be at root shell prompt as root user. This application is specifically for controlling access to root account.
What I would like to do is that at this stage (after logged-in as root via this application), if I were to change the current password, it should prompt me for the current password. Presently, it asks for new password directly. Just like other *nixes like HP-UX, where eventhough already in a session as root, any passwd command issued to change root password, will prompt for the current password before prompts for the new password.
Thanks for all the help.
AH at 2007-7-6 19:58:35 >
# 5
The password change that I referring to here is root password.Thanks.AH at 2007-7-6 19:58:35 >
# 6
That is not possible since the root account is all powerfull, which also implies it can change every account on the system without being hindered by any limitation.
The best way to protect your root account from unwanted behaviour on Solaris 10 would be utilizing RBAC so that users only have the rights they need without being all powerfull. Another approach is using sudo for this, on older releases I think its the only liable option, but that doesn't fully protect you.
For example; you can tell sudo not to allow people to run "passwd root". Thats nice. But they probably /can/ fire up a new shell using sudo. Or worse; programs like midnight commander, or vim. Especially that latest can be tricky since its perfectly possible to execute another program from it.
So in the end the absolute best defense is by being extremely carefull with choosing the users you allow to have full access on the server.
LionO at 2007-7-6 19:58:35 >
# 7
Thanks everyone for the information. It was really helpful.AH at 2007-7-6 19:58:35 >
General New Topic
General Hot Topic
- solaris 10 build
- Can you recover deleted files in Solaris?
- The file just loaded does not appear to be executable after reboot
- Resolve name with www
- use of diff inside foreach
- scsi drives in D1000 not accessible after SOLARIS 10 installation
- SUN72G Formatting Error
- Solaris 8 Ultra 10 hangs after 90% of disk utilisation
General
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding