let user can only run one command (passwd)?
I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator.
Re: let user can only run one command (passwd)?
One easy way is to do this. Make their login shell /bin/rksh Make their login PATH /somepath and cp /usr/bin/passwd /somepath You can take it a lot further, but this is an easy start. On Thu, Jun 14, 2012 at 06:01:14PM +0800, f5b wrote: I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator.
Re: let user can only run one command (passwd)?
On Thu, Jun 14, 2012 at 06:01:14PM +0800, f5b wrote: I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator. So your users are ok with shell? If so you can define for them their own passwd file. Not tested though. passdb { driver = passwd-file # Each user has a separate passwd-file: args = /home/%u/.imappasswd } http://wiki2.dovecot.org/AuthDatabase/PasswdFile http://wiki2.dovecot.org/Variables jirib
Re: let user can only run one command (passwd)?
On 06/14/12 06:00, f5b wrote: I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator. easy way: add /usr/bin/passwd to /etc/shells make the user's default shell /usr/bin/passwd when they log in, the shell will be run...that shell is passwd. ta-da! another way to accomplish the same task via another way... there is an old program called poppassd, which allows some mail clients to change the user's password. Apparently, Eudora supports it, iirc squirrelmail supports. mail/poppassd. While waving poppassd out on the 'net might not make me very happy (haven't verified, but I'd bet a tiny amount of money there's no encryption on it), you could probably cobble together a small web app which would handle https and keep it all off the 'net, which is what squirrelmail did... Roundcube may support this, too. Nick.
Re: let user can only run one command (passwd)?
sshd_config ChrootDirectory not suit our needs. Why doesn't it suit your needs (time to work out how to do it?), you could just use a locked down file permission system perhaps even including secondary groups. Force command might come in handy as well as sudo too. Why not do something good every day and install BOINC.
Re: let user can only run one command (passwd)?
sshd_config ChrootDirectory not suit our needs. You could also use systrace!! Do a little research and be careful if you use root though. Note contrary to wild statements the atleast published race conditions to be careful of are actually narrowly defined. Why not do something good every day and install BOINC.
Re: let user can only run one command (passwd)?
On 06/14/2012 08:55 AM, Kevin Chadwick wrote: sshd_config ChrootDirectory not suit our needs. Why doesn't it suit your needs (time to work out how to do it?), you could just use a locked down file permission system perhaps even including secondary groups. Force command might come in handy as well as sudo too. how WOULD it? passwd has to alter files in /etc (and is setuid root), kinda keeps a chroot from being overly useful. you are going about this the hard way Why not do something good every day and install BOINC. I love the global warming projects. Study global warming by increasing your computer's power draw! The math may be speculative, but the power consumption increase isn't!
Re: let user can only run one command (passwd)?
how WOULD it? passwd has to alter files in /etc (and is setuid root), kinda keeps a chroot from being overly useful. you are going about this the hard way It's not difficult to copy the lines from /etc/passwd into a mfs upon login, you don't necessarily need suid but yeah that's a hard way. I use single command shells myself and probably should have suggested that. I was just quickly chucking in possibilities really. Partly due to a bee in my bonnet about RBAC being a supposed must for good security. Why not do something good every day and install BOINC. I love the global warming projects. Study global warming by increasing your computer's power draw! The math may be speculative, but the power consumption increase isn't! Yeah quite Ironic e though on the systems I use I've noticed almost no power consumption increase, would probably be a different story if my GPUs were compatible, hmmm. Anyway it's medical and malaria uses I run it on and hope others do.
Re: let user can only run one command (passwd)?
On 06/14/12 17:48, Nick Holland wrote: On 06/14/2012 08:55 AM, Kevin Chadwick wrote: sshd_config ChrootDirectory not suit our needs. Why doesn't it suit your needs (time to work out how to do it?), you could just use a locked down file permission system perhaps even including secondary groups. Force command might come in handy as well as sudo too. how WOULD it? passwd has to alter files in /etc (and is setuid root), kinda keeps a chroot from being overly useful. I agree on the chroot part. However, combining Match Group ... with ForceCommand ... would be my first choice, but I have a perversion of wanting to use sshd for everything. :-) /Alexander
Re: let user can only run one command (passwd)?
On 06/14/12 13:09, Nick Holland wrote: On 06/14/12 06:00, f5b wrote: I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator. easy way: add /usr/bin/passwd to /etc/shells make the user's default shell /usr/bin/passwd when they log in, the shell will be run...that shell is passwd. ta-da! Hmmm but if someone decides to do this: $ ssh [user@host] some_command That would call passwd with '-c some_command' and it would bork. In this case, to no avail, but using the same aproach on some other binaries could possibly have unwanted effects. Of course, setting the shell to a chpasswd wrapper would be easy enough. /Alexander
Re: let user can only run one command (passwd)?
On 2012-06-14, Alexander Hall ha...@openbsd.org wrote: However, combining Match Group ... with ForceCommand ... would be my first choice, but I have a perversion of wanting to use sshd for everything. :-) I think you're going to need something like that if you want to update system passwords in /etc/master.passwd; there used to be the option of putting them in a specific class and using auth=chpass in login.conf, but sshd doesn't work with interactive auth mechanisms (it can supply a single password and that's it). An alternative is to store password separately (ldap/radius/etc) and change them there, Roundcube's password-change plugin has support for a lot of methods (see /var/www/roundcubemail/plugins/password/README). Personally for accounts which should not have system access anyway, I'd probably stick them in LDAP or a SQL database and have Dovecot auth against that rather than using system passwords. (You could also dispense with system accounts completely if wanted and put them all under a virtual mailbox uid).