NAME

chngpwd.pl - A secure one liner pam password changer

SYNOPSIS

chngpwd.pl [-d | --debug] [ -q | --quiet ] username old_password new_password

DESCRIPTION

chngpwd.pl is an program that lets any user changes any other users password if the user has other user's current password.'

It should be able to work on any PAM aware system.

This makes easier to use as wrapper for a system password changer, like from a CGI.

-d, --debug Shows debugging messages. (helpful to find bugs only).
-q, --quiet quiet mode. Does not output any normal message
-e, --extra extra parameter. anything specified as an argument for -e will be logged toghether. Usefull for parsing the logs.

EXIT STATUS

chngpwd.pl returns a variety of status. This makes it easy to know the results from its exit status:

  1. Password sucessfully changed.

  2. Wrong number of arguments passed to the program.

  3. The program is not suid.

  4. Root is trying to run the program (not allowed, but behaviour can be changed).

  5. Cannot change users password. It is a special account.

  6. Authentication Error. The old password did not matched.

  7. Bad new password.

  8. Provided username is invalid.

  9. Internal Error. Pam could not be initialized.

  10. Internal Error. Could not load Sys::Syslog.

  11. Internal Error. Could not load Authen::PAM or it is not installed.

  12. Internal Error. Unkown PAM response.

  13. Internal Error. Could not open mail program.

  14. Internal Error. Could not identify PAM's PROMPT Message. '

  15. Internal Error. PAM replyed an unindentified error message.

  16. Internal Error. Something unexpected happened.

  17. Internal Error. User not allowed to run the program.

  18. Internal Error. The PAM system did not asked for the current password.

  19. New password unacceptable. It is really short.

  20. New password unacceptable. It is short (still).

  21. New password unacceptable. It does not contain enough different characters

  22. New password unacceptable. It is too simple or too systematic.

  23. New password unacceptable. It is too similiar to the old one.

  24. New password unacceptable. It is too simple or based in a common word.

  25. Password unchanged. Usually happens if the ond and new passwords are equal.

SECURITY AND INTERNALS

This programs needs to be suid to run.

If you still haven't give up yet, you have to read the source code before using this application. I have checked its code many times to make sure it doesn't have any security flaw. However I am not perfect.

If you found any security issue (or would like to talk about this) please, mail me.

There are a lower and upper uid limit that can be used by this program. If defaults to <500 (lower limit) and >60000(upper limit). As this values are usually used for system accounts. This can be changed in the $opt variable.

The program logs in the syslog all activity. And mails the administrator (root) if any unexpected behaviour is found.

By default many configuration were taken out from the command line and the administrator will have to change its default values inside the script (like the syslog facility to use and the mail program that should be called). As it runs suided root, it would allow unwanted behaviour to be untrackable.

The program will not let be run by root by default. That's because of PAM's behaviour. If the application has the uid != 0 but the effective uid == 0, PAM will let the password to be changed if the old password is known (wanted behaviour). OTOH, if the uid == 0, PAM will not ask for a old password. As this program was design to be a wrapper, this might not be what the administrator wants, so it will refuse to run. This behaviour can be changed inside the program.

If PAM does not ask for the current password (ask just the new one), the program will abort with an error.

This program makes use of the prompt messages given by PAM when changing passowrd. This means that if the messages changes, the application will not know what to do.

To prevent translations getting on the way (and possible security flaws), this program deletes all environment variables, before starting the PAM library.

When an unexpected message arrives from PAM, the application will mail a bug report to the admin. In the case of new PAM message, the administrator will just have to add its behaviour to the application (and send me a bug report in order to fix this for other users too).

The $message variable is a hash reference to the expected message. Its key is the actual message, and its value is the action to be done:

  1. Give the old password.

  2. Give the new password for the first time.

  3. Give the password for the second time.

This is necessary because sometimes you will need to give the password more than 2 times. (e.g. a LDAP authentication thru pam_ldap module).

In the same way, error messages are kept in the $bad_msg variable. Each key is the error message with the string ``BAD PASSWORD: '' stripped. and each key is the exit code minus 100.

If you manually add new messages, don't forget to update this documentation at the end of the program's file.

Configuring the variables: $opt-{restrict_to_one_user}> and $opt-{uid_restricted}> allows to configure the script to only be run by the uid specified in $opt->{uid_restricted}. This is handfull to allow only one specific user to change passwords (e.g. a web server) and restric access from others.

REPORTING BUGS

Please send bug reports, critics, comments and patchs to <raul@dias.com.br>

SEE ALSO

pam, passwd, perl

AUTHOR

Raul Dias <raul@dias.com.br>