[tac_plus] Re: Changing a user's password from tacacs prompt or other method...
dterry at dollartree.com
dterry at dollartree.com
Thu Jun 3 15:30:49 UTC 2010
You don't have to give them access to the server. Set their shell
no /sbin/nologin and they will be able to change their password, but not
login.
john heasley
<heas at shrubbery.n
et> To
Sent by: "Roderick B. Greening"
<tac_plus-bounces <roderick.greening at gmail.com>
@shrubbery.net> cc
tac_plus at shrubbery.net
Subject
06/02/2010 04:27 [tac_plus] Re: Changing a user's
PM password from tacacs prompt or
other method...
Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening:
> > > Just wondering how I would go about allowing the user to change their
> > > password without providing access to the tacacs+ server?
> > >
> > > For example, the user telnets to one of the tacacs+ enabled NAS and
> > > enters their username and then nothing for password. I'd like this to
> > > trigger a request for a password change.
> > >
> > > In my tacacs+ config, I am using the default Linux /etc/passwd with
the
> > > file
> >
> > The TACACS+ protocol itself is suitable to do this.
> > The popular (and free) server programs isn't.
> > You have to develop it...
> >
>
> I take it this means that writing a before/after auth script is not
possible
> to do this, and only possible with modifications to the tacacs server
code base
> itself?
>
> Anyone interested in developing this?
I believe that it currently works if the device initiates the change.
but, otherwise gabor is right. however, you may be able to use PAM
to do that - in theory, but I havent tried it. you'd need PAM modules
that would enforce the empty password bit and perform the change passwd
prompting.
note that empty password is a DoS and security hole.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list