On 06/14/12 13:09, Nick Holland wrote:
On 06/14/12 06:00, f5b wrote:
I have setup OpenSMTPD + dovecot + roundcube simple mail server.
People can ssh log in to the OpenBSD box, change their password using command
passwd,
the system account password is also the mail account password.
So, for security reason, how to let the user can only run one command(passwd)
when they login?
or are there any other methods to let mail account user change their password
by themself easily?
sshd_config ChrootDirectory not suit our needs.
1. administrator login OpenBSD box, adduser user.
2. the user ssh log in OpenBSD box, run "passwd" to change their password
assign by administrator.
easy way:
add /usr/bin/passwd to /etc/shells
make the user's default shell /usr/bin/passwd
when they log in, the shell will be run...that "shell" is passwd.
ta-da!
Hmmm but if someone decides to do this:
$ ssh [user@host] some_command
That would call passwd with '-c some_command' and it would bork. In this
case, to no avail, but using the same aproach on some other binaries
could possibly have unwanted effects.
Of course, setting the shell to a chpasswd wrapper would be easy enough.
/Alexander
