chngpwd.pl - A secure one liner pam password changer
chngpwd.pl [-d | --debug] [ -q | --quiet ] username old_password new_password
chngpwd.pl is an program that lets any user changes any other users password if the user has other user's current password.'
It should be able to work on any PAM aware system.
This makes easier to use as wrapper for a system password changer, like from a CGI.
chngpwd.pl returns a variety of status. This makes it easy to know the results from its exit status:
Password sucessfully changed.
Wrong number of arguments passed to the program.
The program is not suid.
Root is trying to run the program (not allowed, but behaviour can be changed).
Cannot change users password. It is a special account.
Authentication Error. The old password did not matched.
This exit code is obsolete.
Provided username is invalid.
Internal Error. Could not load Sys::Syslog.
Internal Error. Unkown PAM response.
Internal Error. Could not open mail program.
Internal Error. Something unexpected happened.
Internal Error. User not allowed to run the program.
New password unacceptable. It is really short.
New password unacceptable. It is short (still).
New password unacceptable. It does not contain enough different characters
New password unacceptable. It is too simple or too systematic.
New password unacceptable. It is too similiar to the old one.
New password unacceptable. It is too simple or based in a common word.
Password unchanged. Usually happens if the ond and new passwords are equal.
This programs needs to be suid to run.
If you still haven't give up yet, you have to read the source code before using this application. I have checked its code many times to make sure it doesn't have any security flaw. However I am not perfect.
If you found any security issue (or would like to talk about this) please, mail me.
There are a lower and upper uid limit that can be used by this program. If defaults to < 500 (lower limit) and > 60000 (upper limit). As this values are usually used for system accounts. This can be changed in the $opt variable.
Future versions will read this values directly from /etc/login.defs .
The program logs in the syslog all activity. And mails the administrator (root) if any unexpected behaviour is found.
By default many configuration were taken out from the command line and the administrator will have to change its default values inside the script (like the syslog facility to use and the mail program that should be called). As it runs suided root, it would allow unwanted behaviour to be untrackable.
The program will not let be run by root by default. That's because of PAM's behaviour. If the application has the uid != 0 but the effective uid == 0, PAM will let the password to be changed if the old password is known (wanted behaviour). OTOH, if the uid == 0, PAM will not ask for a old password. As this program was design to be a wrapper, this might not be what the administrator wants, so it will refuse to run. This behaviour can be changed inside the program.
If PAM does not ask for the current password (ask just the new one), the program will abort with an error.
This program makes use of the prompt messages given by PAM when changing passowrd. This means that if the messages changes, the application will not know what to do.
To prevent translations getting on the way (and possible security flaws), this program deletes all environment variables, before starting the PAM library.
Configuring the variables: $opt->{restrict_to_one_user} and $opt->{uid_restricted} allows to configure the script to only be run by the uid specified in $opt->{uid_restricted}. This is handfull to allow only one specific user to change passwords (e.g. a web server) and restric access from others.
It is important to know that this program relies on Authen::SimplePam now to deal with PAM.
This means that if you use a non standard PAM module you might have to contact the Authen::SimplePam author in order to improve it.
However chances are that Authen::SimplePam will works fine with most modules.
Please send bug reports, critics, comments and patchs to <raul@dias.com.br>
pam, passwd, perl
Raul Dias <raul@dias.com.br>
17 POD Errors
The following errors were encountered while parsing the POD:
Expected text after =item, not a number
To install Authen::SimplePam, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Authen::SimplePam
CPAN shell
perl -MCPAN -e shell install Authen::SimplePam
For more information on module installation, please visit the detailed CPAN module installation guide.