14

Been working on some security hardening procedures for a RedHat box, and I wanted to know if would be possible to prevent a user from changing his password, once it's expired.

For one of our clients the requirement is that they must only have access to the server through temporary accounts, meaning that once the user credentials are created, password must expire within 4 hours, and once password expires, only root should be able to change it.

For the first requirement (passwords expiring after 4 hours), I guess it could be achieved by setting passwordMaxAge = 144000. But I still couldn't find a way of preventing the users of changing expired passwords, without turning off password expiration.

Can anyone help?

Nathan Tuggy
  • 123
  • 1
  • 1
  • 8
born to hula
  • 243
  • 1
  • 7
  • 4
    Is it OK if the user keeps existing login sessions open past the 4-hour window? Expiring the user's password won't kick them out if they're already logged in. I could keep an SSH session open for weeks. – Wyzard Mar 19 '15 at 02:27
  • Instead of relying on at/cronjobs and modification of system binaries you might be able to write a simple pam module, or maybe there is even one out there (or you can maybe fork pam_time to include more options) – PlasmaHH Mar 19 '15 at 10:06

2 Answers2

24

If you remove the setuid bit from the passwd command, only root will be able to use it. This will also disable the users from changing the password before it expires - which could otherwise be a way for the users to extend the account for another four hours.

[jenny@finch ~] sudo chmod -s /usr/bin/passwd
[jenny@finch ~]$ passwd
Changing password for user jenny.
Changing password for jenny.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error

Root is still able to change any password:

[jenny@finch ~]$ sudo passwd jenny
Changing password for user jenny.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • 5
    Elegant, and very UNIX. +1 from me. @borntohula, don't forget to accept this answer by clicking on the "tick" outline if you're happy with it. – MadHatter Mar 18 '15 at 14:17
  • 6
    This _almost_ works. The problem with it is that your removal of the setuid bit will be undone if `passwd` is ever updated by the system. – Michael Hampton Mar 18 '15 at 14:17
  • 3
    @MichaelHampton True. Fixing that is what e.g. puppet is for. Also, doesn't everyone check their systems for new setuid/setgid bits after each update? – Jenny D Mar 18 '15 at 14:19
  • 1
    @JennyD - they probably *should* check for setuid/setgid bits changing, but very few ever do – warren Mar 23 '15 at 22:09
  • 2
    @warren - there may have been a slight trace of sarcasm in that sentence. A very small trace. Minuscule. – Jenny D Mar 24 '15 at 04:22
21

Generally, password expiration is used to force users to change their passwords. What it sounds like you want to do is to lock the account, which prevents all login.

What I would suggest you do instead is, when you create the account, also set up an at job which will lock the account after four hours.

For example:

useradd temp8143
echo chage -E 0 temp8143 | at now + 4 hours

(chage -E expects expiration dates to be given in days, so we work around this with an at job.)

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940