[tac_plus] Re: Changing a user's password from tacacs prompt or other method...

john heasley heas at shrubbery.net
Thu Jun 3 15:48:11 UTC 2010


Thu, Jun 03, 2010 at 11:30:49AM -0400, dterry at dollartree.com:
> You don't have to give them access to the server. Set their shell
> no /sbin/nologin and they will be able to change their password, but not
> login.

I didnt mention anything about the server.

> Wed, Jun 02, 2010 at 05:12:40PM -0230, Roderick B. Greening:
> > > > Just wondering how I would go about allowing the user to change their
> > > > password without providing access to the tacacs+ server?
> > > >
> > > > For example, the user telnets to one of the tacacs+ enabled NAS and
> > > > enters their username and then nothing for password. I'd like this to
> > > > trigger a request for a password change.
> > > >
> > > > In my tacacs+ config, I am using the default Linux /etc/passwd with
> the
> > > > file
> > >
> > > The TACACS+ protocol itself is suitable to do this.
> > > The popular (and free) server programs isn't.
> > > You have to develop it...
> > >
> >
> > I take it this means that writing a before/after auth script is not
> possible
> > to do this, and only possible with modifications to the tacacs server
> code base
> > itself?
> >
> > Anyone interested in developing this?
> 
> I believe that it currently works if the device initiates the change.
> but, otherwise gabor is right.  however, you may be able to use PAM
> to do that - in theory, but I havent tried it.  you'd need PAM modules
> that would enforce the empty password bit and perform the change passwd
> prompting.
> 
> note that empty password is a DoS and security hole.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> 


More information about the tac_plus mailing list