Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a state to require new password on first login #72

Open
multani opened this issue Jun 24, 2015 · 2 comments
Open

Provide a state to require new password on first login #72

multani opened this issue Jun 24, 2015 · 2 comments

Comments

@multani
Copy link

multani commented Jun 24, 2015

We have users we are creating sometimes and for some reasons we don't want to store their hashed passwords into Salt, and we don't rely (yet) on central authentication.

In this case, what we often do is to require them to change their password on the very first login, and since to change your password you first have to know the previous one, we also set up an empty password by default (in this case, passwd doesn't ask for the old password). Since we rely on SSH key authentication for the initial authentication, this trade-off is acceptable, I guess.

Currently, our state looks like this:

{% if name != 'root' and 'password' not in user %}
{{ name }}_user_reset_password:
  cmd.run:
   - name: usermod -p "" {{ name }} && chage -d 0 {{ name }}
   - onlyif: grep --quiet "^{{ name }}:!:" /etc/shadow
   - require:
     - user: {{ name }}
{% endif %}

This does the following:

  • ensure the password is really empty and change the expiration date to require a password change on login. The order of these operations are important, if you do it on the reverse order, the expiration date is set somewhere in the future due to the usermod call.
  • the state is only run if there's no password set (at all) for this user, otherwise the state will keep resetting the password. It's a complicated way to say to run the state only once just after the user has been initially created.

I think this state would fit into this formula, and I'll be glad to offer a pull request to add this. Any comments are welcome (if that fits, and how to provide a pillar configuration to configure this).
@0xf10e
Copy link
Contributor

0xf10e commented Jun 28, 2015

Hmm, one could also include the hash of a initial password in pillar and expiring the password if the hash still matches, right?

@gboddin
Copy link

gboddin commented Feb 2, 2016

@0xf10e Not really, there's no way currently to set the hash to an empty string ( no password != !), using :

password : ""
expire : 0

As a result the shadow file is set to ! instead of nothing at all.

In some cases it is acceptable to proceed this way because :

If you work with ssh only, you can make the user set his first password without knowing the previous one.

Of course you should make sure PAM/ssh doesn't allow empty password login.

This is pretty useful when you don't want to send password by mail/IM to thirdparties, but they use sshkey.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@multani @gboddin @0xf10e