On 06/14/12 06:00, f5b wrote: > I have setup OpenSMTPD + dovecot + roundcube simple mail server. > People can ssh log in to the OpenBSD box, change their password using command > passwd, > the system account password is also the mail account password. > > So, for security reason, how to let the user can only run one command(passwd) > when they login? > or are there any other methods to let mail account user change their password > by themself easily? > > sshd_config ChrootDirectory not suit our needs. > > 1. administrator login OpenBSD box, adduser user. > 2. the user ssh log in OpenBSD box, run "passwd" to change their password > assign by administrator.
easy way: add /usr/bin/passwd to /etc/shells make the user's default shell /usr/bin/passwd when they log in, the shell will be run...that "shell" is passwd. ta-da! another way to accomplish the same task via another way... there is an old program called "poppassd", which allows some mail clients to change the user's password. Apparently, Eudora supports it, iirc squirrelmail supports. mail/poppassd. While waving poppassd out on the 'net might not make me very happy (haven't verified, but I'd bet a tiny amount of money there's no encryption on it), you could probably cobble together a small web app which would handle https and keep it all off the 'net, which is what squirrelmail did... Roundcube may support this, too. Nick.
