11

I have a Samba server for about 5 users (security = user) and I want a way for these users to change their passwords without my involvement so I have the following idea. Is this secure? Is there a better (as in more simple) approach. We used to have SWAT for this but no more.

On server: create restricted user (/bin/rbash + PATH to single directory)

$ sudo adduser --shell /bin/rbash pwchange

$ cat /etc/passwd
  pwchange:x:1001:1001:pwchange,,,:/home/pwchange:/bin/rbash

$ sudo vi /home/pwchange/.bashrc
  Add:
  export PATH=/usr/local/pwchange

$ sudo ln -s /usr/bin/smbpasswd /usr/local/pwchange/smbpasswd

This idea here is that only the sambpasswd command can be run by the pwchange user. The unix accounts for the Samba users do not have passwords (i.e. log on via these accounts not allowed). The samba users would only be able to use this restricted account for self service Samba password changes ... no exploring the server!

Client: Change Samba password via Terminal or Putty (Windows)

user1@A3700:~$ ssh pwchange@192.168.1.14

pwchange@V220:~$ smbpasswd -U user1
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user user1
brucehohl
  • 111
  • But I thought smbpasswd was meant for users and admin alike to change their passwords... Is that what you want? – George Udosen Dec 17 '17 at 05:07
  • In this case the Unix accounts of the users do not have passwords, therefore, user1 cannot log on as user1@192.168.1.14. The Samba server was setup as "security = user" and file restrictions were set in smb.conf. Users were not allowed a Unix logon as the underlying Unix file permissions were more permissive than the combination of Samba and Unix file permissions (Unix extended ACLs were not used.) – brucehohl Dec 18 '17 at 10:41
  • 1
    At my college we had a self serving portal which users can auth using id and sms verification, and in the background we issued the smbpasswd command – Rabin Oct 25 '18 at 05:12

1 Answers1

3

Giving them all access to the same dummy account doesn't sound smart. Even if you lock it down to have access to nothing BUT smbpasswd they could still change eachother's passwords. And there's always possibility of a malicious privilege escalation attack.

Essentially what it sounds like you want is to allow them to run ONLY the smbpasswd command from their own user account while still having an equivalent to a nologin account.

This can be accomplished with the use of the "ForceCommand" option in your sshd_config.

Try this:

  1. Grant each user with a Samba account membership to the same group. For our example let's say "sambaOnly":

    #From Root
groupadd sambaOnly
usermod -a -G sambaOnly Joe

  2. Next, we want to change our sshd_config file to have the following:

    #From Root
cat << EOF >> /etc/ssh/sshd_config
Match Group sambaOnly
    ForceCommand smbpasswd
EOF

Presto. From my understanding (and brief testing) this means when they login via SSH they will automatically have the smbpasswd command run and they will be prompted accordingly. They will never get the chance to have shell access. After the command completes they are automatically disconnected, again never getting a chance to have shell access.

I am not 100% sure this removes all access to the machine remotely. For example, if you are running a different SSH server on the same machine that doesn't ForceCommand them, then they could login via that depending on its access control config.

Also, if they have the opportunity for physical access to a terminal they can login.

However, I think for most situations this is fairly strong access control.

Geraden
  • 513