in reply to Resetting passwords

It begs the question:
How do you know the user is resetting his own password, and not someone else's password?

You can't use their password to authenticate, or it wouldn't require resetting!

-- Randal L. Schwartz, Perl hacker

Replies are listed 'Best First'.
Re: •Re: Resetting passwords
by Kraegar (Novice) on Oct 12, 2002 at 17:23 UTC
    This is not for users - perhaps I wasn't clear.
    Basically, I want to allow our "Support Center" workers to reset other user's passwords. The support center would log on as the "resetpassword" account and be prompted for the user account to reset.
[reply]
      OK, this is getting more interesting.
      The support center would log on as the "resetpassword" account and be prompted for the user account to reset.
      So, how do you have individual accountability for whomever it was that reset a password if you have a shared "resetpassword" account?

      And how do you ensure the security of that password if it's shared?

      And what kind of authentication are you using to the web service? Why is this a web service at all?

      Even if you keep them from not resetting "root", perhaps they can reset the password of someone who can become root. This seems like false security.

      Enquiring minds want to know.

      -- Randal L. Schwartz, Perl hacker

[reply]
        Answering all this gets a little complex, let's see how well I can do.

        First, to clear this all up a little, this is not a web service.
        The machine in question is running DG/UX, it's not one I administer or even really use. The system is one that no one has a shell account on other then a few admins. The users login and are directed into a menu based application (for healthcare).

        I got involved over some security concerns on the system (I noticed it had open NFS shares) and started asking some basic security questions. There were several problems, notably that it's not using shadow passwords, and that the current method for resetting user passwords on the system is by logging in as "resetpassword" which then prompts you for the account to reset. The current "resetpassword" has no password. (insert loud bells and whistles going off here)

        Shadow passwords was an easy one to convince them on, they turned them on. Which broke their current "resetpassword" method.

        So since I am the one who suggested all of this, I've been asked to provide a replacement for the process. I'm free to make it as "secure" as I want using my own devices. However, I don't even have shell access on the box, and I have next to no experience on DG/UX.

        That said, I worked with them to a happy medium of keeping the resetpassword account, putting a password on it, and limiting what accounts it can reset. They absolutely will not give the root password out to those who need to reset passwords for users.

        Sudo is a nice idea, and I'm familiar with it, but I don't see any indication it will even compile on DG/UX, and the administrator of the system is hesitant to try anything like that. (he's also about 1500 miles away, so communication is poor at best). I do have a request in to him to look at it, but my expectations are low.

        Apologies for the long post, but I'm very open to suggestions on how to go about this. My goal is to get this box secure, or at least as secure as I can.

[reply]

In Section Seekers of Perl Wisdom