On Thu, Jan 24, 2002 at 07:23:35AM +0100, martin f krafft wrote: > > > also sprach Rob VanFleet > > On this list (I beleive) I saw someone mention the use of /bin/passwd > > as a shell for mail-only users so they can easily change their password > > without having to ask someone. Is this a secure option, or am I > > missing some glaring problems? If so, what are some other possible > > solutions? > > that was me, and no, noone has mentioned any bad aspects yet, other > than your users having to type the old password twice. however, it's > not the solution i amlooking for, so i am implementing a highly secure > way to do it over and SSL/TLS-encrypted webform with emphasis on > minimization of root privilege needs. i'll post to the list when i am > done.
Thanks, that would be great. I thought about some sort of CGI for that as well, but without spending more time on it than I have at the moment I figured it would be far less secure than a password-protected passwd. :) With proper taint checking it would probably be a better option. -Rob
