> There is no on interactive use of passwd - by design. Examples of what that's not usually a good thing to do: * password on the command line could be seen by anyone else using "ps" at that moment (unless all non-root users have accounts that revoke proc_info privilege)
* password embedded in a script could be seen if someone got read access to the script And testing the validity of passwords should only be done by "trusted" programs, so as to discourage automated brute force attempts to guess passwords. "expect" can script anything that can be done interactively. But as the previous reply stated, validating passwords should really be done in a language that can directly use the PAM functions. Look at the code for su if you must do this sort of thing. It may have to run setuid root, to be able to use pam_authenticate() successfully. Ideally, any initial password for a new user should be set in such a way that it's already expired and they have to change it immediately. Only the account holder should know the password; even the system administrator should not know user account passwords; otherwise accountability would be undermined. Of course with someone who had root and really knew what they were doing, just about anything could be faked, unless there was a guaranteed way to get current records off somewhere they couldn't tamper with, which is actually rather difficult to do, unless they also can't write to /dev/*mem, load kernel modules, or reboot off of alternate media. One can imagine a system locked down that tight, but I think Solaris might be missing some mechanisms that would be required (something equivalent to BSD sysctl kern.securelevel=1 or higher, for instance), although a kiosk like system with a read-only root and various data copied into tmpfs as needed to be writable (but lost after each reboot) could get pretty close. -- This message posted from opensolaris.org _______________________________________________ opensolaris-code mailing list opensolaris-code@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
