NAME

chngpwd.pl - A secure one liner pam password changer

SYNOPSIS

chngpwd.pl [-d | --debug] [ -q | --quiet ] username old_password new_password

DESCRIPTION

chngpwd.pl is an program that lets any user changes any other users password if the user has other user's current password.'

It should be able to work on any PAM aware system.

This makes easier to use as wrapper for a system password changer, like from a CGI.

-d, --debug Shows debugging messages. (helpful to find bugs only).
-q, --quiet quiet mode. Does not output any normal message
-e, --extra extra parameter. anything specified as an argument for -e will be logged toghether. Usefull for parsing the logs.

EXIT STATUS

chngpwd.pl returns a variety of status. This makes it easy to know the results from its exit status:

0

Password sucessfully changed.

1

Wrong number of arguments passed to the program.

2

The program is not suid.

3

Root is trying to run the program (not allowed, but behaviour can be changed).

4

Cannot change users password. It is a special account.

5

Authentication Error. The old password did not matched.

6 **OUT**

This exit code is obsolete.

7

Provided username is invalid.

8 **OUT**

This exit code is obsolete.

9

Internal Error. Could not load Sys::Syslog.

10 **OUT**

This exit code is obsolete.

11 **OUT*

Internal Error. Unkown PAM response.

This exit code is obsolete.

12

Internal Error. Could not open mail program.

13 **OUT**

This exit code is obsolete.

14 **OUT**

This exit code is obsolete.

15

Internal Error. Something unexpected happened.

16

Internal Error. User not allowed to run the program.

17 **OUT**

This exit code is obsolete.

101

New password unacceptable. It is really short.

102

New password unacceptable. It is short (still).

103

New password unacceptable. It does not contain enough different characters

104

New password unacceptable. It is too simple or too systematic.

105

New password unacceptable. It is too similiar to the old one.

106

New password unacceptable. It is too simple or based in a common word.

107

Password unchanged. Usually happens if the ond and new passwords are equal.

SECURITY AND INTERNALS

This programs needs to be suid to run.

If you still haven't give up yet, you have to read the source code before using this application. I have checked its code many times to make sure it doesn't have any security flaw. However I am not perfect.

If you found any security issue (or would like to talk about this) please, mail me.

There are a lower and upper uid limit that can be used by this program. If defaults to < 500 (lower limit) and > 60000 (upper limit). As this values are usually used for system accounts. This can be changed in the $opt variable.

Future versions will read this values directly from /etc/login.defs .

The program logs in the syslog all activity. And mails the administrator (root) if any unexpected behaviour is found.

By default many configuration were taken out from the command line and the administrator will have to change its default values inside the script (like the syslog facility to use and the mail program that should be called). As it runs suided root, it would allow unwanted behaviour to be untrackable.

The program will not let be run by root by default. That's because of PAM's behaviour. If the application has the uid != 0 but the effective uid == 0, PAM will let the password to be changed if the old password is known (wanted behaviour). OTOH, if the uid == 0, PAM will not ask for a old password. As this program was design to be a wrapper, this might not be what the administrator wants, so it will refuse to run. This behaviour can be changed inside the program.

If PAM does not ask for the current password (ask just the new one), the program will abort with an error.

This program makes use of the prompt messages given by PAM when changing passowrd. This means that if the messages changes, the application will not know what to do.

To prevent translations getting on the way (and possible security flaws), this program deletes all environment variables, before starting the PAM library.

Configuring the variables: $opt->{restrict_to_one_user} and $opt->{uid_restricted} allows to configure the script to only be run by the uid specified in $opt->{uid_restricted}. This is handfull to allow only one specific user to change passwords (e.g. a web server) and restric access from others.

It is important to know that this program relies on Authen::SimplePam now to deal with PAM.

This means that if you use a non standard PAM module you might have to contact the Authen::SimplePam author in order to improve it.

However chances are that Authen::SimplePam will works fine with most modules.

REPORTING BUGS

Please send bug reports, critics, comments and patchs to <raul@dias.com.br>

SEE ALSO

pam, passwd, perl

AUTHOR

Raul Dias <raul@dias.com.br>

17 POD Errors

The following errors were encountered while parsing the POD:

Around line 233:

Expected text after =item, not a number

Around line 237:

Expected text after =item, not a number

Around line 241:

Expected text after =item, not a number

Around line 245:

Expected text after =item, not a number

Around line 249:

Expected text after =item, not a number

Around line 257:

Expected text after =item, not a number

Around line 265:

Expected text after =item, not a number

Around line 279:

Expected text after =item, not a number

Around line 291:

Expected text after =item, not a number

Around line 295:

Expected text after =item, not a number

Around line 303:

Expected text after =item, not a number

Around line 307:

Expected text after =item, not a number

Around line 311:

Expected text after =item, not a number

Around line 315:

Expected text after =item, not a number

Around line 319:

Expected text after =item, not a number

Around line 323:

Expected text after =item, not a number

Around line 327:

Expected text after =item, not a number