I hope I have phrased this question correctly, it's a bit of an odd one.
I have an Ubuntu 18.04 host with many users on it. All of the users log into their account on the host via SSH public key. All accounts have no password. This means that the /etc/shadow
entry for every user is !
. (I do not mean to imply that any account has an empty password, which would mean anyone could enter a username and then hit Enter at the password prompt to log in. An account with no password and an account with an empty password are very different things!)
With this situation, users are unable to set a password for their account with passwd
because changing your password requires entering the current one which they can't do. This is actually fine.
However, another thing they can't do is change their shell because doing this requires entering a password, which the accounts don't have.
One solution I found suggests replacing required
with sufficient
in this line in /etc/pam.d/cshs
:
# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth required pam_shells.so
This works but my concerns with this are:
- I don't understand why this works in my case because users' shells are already in
/etc/shells
. So why does modifying this suddenly allow users to usechsh
without a password? (To be clear, in all cases, the users' current shells and desired shells are both listed in/etc/shells
.) - I don't necessarily want service accounts to be able to change their own service-specific shells although this isn't quite as important.
I feel like this is something than can be solved by PAM in a more elegant way, somehow.
0 Answers