# Giving non-shell users a way to change their passwords

## JC Denton

A little bit of background.  One of my machines is a login host, web and mail server all rolled into one.  There are users that can shell in and there are those that can't.  The ones that cannot usually just have a mail-only or web-only account.  Their shells are set to nologin and they're denied SSH access (or setup with an internal-sftp chroot for web hosting).  This has worked out really well so far.  The one difficulty I often encounter is trying to figure out how to allow the users to change their passwords without shell access.  Since it's a good security practice and there's increased awareness on password security post-Heartbleed, I'd love to provide end users this functionality on my server.

Most of the packages out there to serve this purpose are either severely out of date or have known vulnerabilities.  I'd roll my own, but I feel like it couldn't possibly be as secure.  Asking in other forums has led to people suggesting I install webadmin or cPanel  :Evil or Very Mad: .

Any suggestions?

----------

## Naib

Does the server have a httpd running and can it run https?

A simple CGI should facilitate this using POST to minimise mitm to then locally call passwd

----------

## JC Denton

 *Naib wrote:*   

> Does the server have a httpd running and can it run https?
> 
> A simple CGI should facilitate this using POST to minimise mitm to then locally call passwd

 

It does.  I suppose I could craft one.  Wouldn't some part of that process have to be setuid, though?

Another idea I came up with was having sshd listen on another port and use Match to force users connecting on that port to only run passwd.  What do you think?

----------

## szatox

I'm not sure if it would work, but two things come to my mind:

1) set their shell to $(which passwd)

2) make a group for them (like nologin or something) and in sshd config use group-wide  force-command option

for example I have

```
Match Group sftp

   ForceCommand internal-sftp
```

I'd expect either of those to do the trick, but well, never tried.

----------

