# Allow SCP/SFTP user to change password

## fourhead

My situation: I finally have a SFTP server running for several users. Each user has it's own chrooted home directory, and all users have 'scponly' as shell so they can't login via SSH, but they can do SFTP/SCP. What I want is that each user can change his own password as he likes. Since they can't execute commands on the server, I came up with the following idea:

I create a file 'password' in each user's chroot that is editable by the user. The user could write his new password (perhaps twice) into this file and save it. I'd then need a little script that checks this file either when the user logs out or every few minutes (via cron) and uses the passwd command to set the new password for the user in the regular /etc/shadow file on the server.

I'm wondering, is this a 'good' solution (I'm afraid it's not  :Confused:  ), is it safe (the passwd is stored in cleartext in this file) and - how could I do this better?

Tom

----------

## nahpets

Just an idea here...

What about setting up a common SSH account called "scppw" or something that starts a script which will execute passwd for the user's account.

I'm not sure how to set it up, but I know you can make a login script to do that because I've seen it done.

----------

## fourhead

Um, I don't exactly know what you mean. Do you mean  should use one account for all my sftp users? Or an extra account that allows them to change their password somehow? Could you explain a little more please?

Tom

----------

## nahpets

I just tried it and got it working like so:

Step 1

- Created a user called "sshpw" with a password "sshpw".  

- Set the shell for user "sshpw" as "/bin/bash".

Step 2

- append the following 2 lines to then end of "/home/sshpw/bashrc"

```

./sshpw.sh

exit

```

Step 3

- Wrote the "sshpw.sh" script that changes a user's password via "sudo".

```

#!/bin/bash

echo

echo -n "Enter your login name and press [ENTER]: "

read NAME

echo

sudo -u ${NAME} passwd

```

Step 4

- created a user called "sftpuser" with "/bin/false" as the shell.

- Started SSH on my machine.

- Tried logging in with ssh:

```

$ ssh -l sshpw localhost

Password:

Last login: Fri Apr 22 22:59:12 2005 from localhost

Enter your login name and press [ENTER]: sftpuser

Password:

Changing password for sftpuser

(current) UNIX password:

New UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Connection to localhost closed.

```

Notes

- You need to look at the "sudo" docs to set things up properly.

- The first time a user executes sudo, he gets prompted for his password, hence the 2 password prompts in the above output.

- You can make things more secure by adding restrictions the the "sshpw" account.

- I think there's a way to skip bash entirely and execute the script directly.  Try searching the forums.

- Of course, you probably should make the bash script more robust and informative so that the user knows what's going on.

EDIT

Another way is to change the login shell for each user to "/bin/passwd".  You'll need to add "/bin/passwd" to "/etc/shells" for this to work.  I only got this half-working because I can use it via "su sftpuser", but not through ssh.  There may be some ssh configuration options there.

----------

## fourhead

Hi,

thanks for your how-to, I'll definitely try this. Couldn't I just use the sshpw.sh (your custom scrit) as the user's shell? All SFTP users have 'scponlyc' as shell, which is a restricted shell only for use with SCP/SFTP and which chroots the user. But this other password-changing user could have sshpw.sh as shell probably...

Thanks a lot!

Tom

----------

## fourhead

Wow thank you so much! It works like a charm! I've set this little pw-change script as the shell and this indeed works perfectly. I was thinking that I could basically use this for any type of user, I now have a script called "change-ssh-pw.sh' but I could also create a scrit 'change-mail-pw.sh' so that my pop/imap users would be abe to easily change their password on their own.

One question though: I had sudo setup for root only, so I also had to set it up for this pw-change user. I have this line in /etc/sudoers:

changepw ALL=(ALL) ALL

How would I have to modiy this line so that this user can only execute passwd? Um I just found out I don't need the password-change-user in sudoers, I need all users that might change their password with this script in sudoers. They are all in the group 'users' so how would I have to setup /etc/sudoers that all users of a certain group can execue passwd?

Tom

----------

## nahpets

Glad I can help.

 *Quote:*   

> 
> 
>  Couldn't I just use the sshpw.sh (your custom scrit) as the user's shell? All SFTP users have 'scponlyc' as shell, which is a restricted shell only for use with SCP/SFTP and which chroots the user. But this other password-changing user could have sshpw.sh as shell probably... 
> 
> 

 

You can set the shell to "/bin/passwd" instead...  Like I said though, I got it to work when doing "su sshpw" but not when I tried logging in with "ssh".  I was getting PAM related messages in my logfiles.  You can do some digging...

If you want to stick with SUDO, I'd make a group called "ssh" or something and set it up in "/etc/sudoers" so that only "passwd" can be executed by that group.  Then add everybody who uses ssh to that group.

Also, to add some security, you can set the shell for "sshpw" to be restricted. ie. /bin/rbash instead of /bin/bash.

EDIT

I was able to get it to work for a user through ssh (don't know why it suddenly started working).  Here's what I did:

1. create user "sftpuser"

2. Set "/bin/passwd" as the shell for "sftpuser"

3. add "/bin/passwd" to "/etc/shells"

4. start sshd "/etc/init.d/sshd start"

5. ssh -l sftpuser localhost

```

$ ssh -l sftpuser localhost

Password:

Last login: Sun Apr 24 02:14:32 2005 from localhost

Changing password for sftpuser

(current) UNIX password:

New UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Connection to localhost closed.

```

As you can see, you have quite a few options here.  You can set anything you want to be your login shell.  I read somewhere that a guy set up a simple ncurses program to be his shell.

----------

