Velvet Star Monitor

Standout celebrity highlights with iconic style.

general

Can a user with ssh keys set their own password after logging in with keys without knowing their password?

Writer Olivia Zamora

I'm playing around with a script to create a user across a number of machines. I'd like to not know the users password at any time, but having the public SSH keys is quite acceptable to me. The user will need to use sudo so a password is needed for privilege escalation. Can the user set the password for themselves without having a password to log in? So far, all my testing of this password creation scheme has failed to find a way for the user to change their password.

Here is the script so far.

# Must be run with root permissions
# sudo will be sufficient
if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" 1>&2 exit 1
fi
# Create User
user=newadmin
adduser $user --disabled-password --gecos "New Admin"
adduser $user sudo
adduser $user adm
# Create and populate authorized keys
keys=/home/$user/.ssh/authorized_keys
mkdir /home/$user/.ssh
chmod 700 /home/$user/.ssh
touch $keys
chmod 600 $keys
cat <<EOT >> $keys
${relevant_content_for-authorized_keys-file_here}
EOT
chown -R $user:$user /home/$user/.ssh
# Check that the file exists and that ownership is correct
# TODO: check permissions of file and directory also
if [ `stat -c '%U' $keys`==$user ]
then echo "Successfully created $keys for $user"
else echo "Failed to configure $keys properly for $user"
fi

If I must, I'll fall back on a short password expiration, but I'd rather them not be able to elevate privileges until their password is set to something I don't know.

echo "password:$user" | chpasswd
chage -M 4 $user

Yes, I know I'm a paranoid sysadmin. :-)

1

1 Answer

Your question is not making much sense as the user in question has sudo access.

So ...

  1. Yes a use can change the password on the ssh keys.

and

  1. A user with root access can change the password of any other user on the system or lock an account without knowing the password of the target account.

I am not sure how you are giving them root access or if root access is limited in any way. If you are using the default sudo configuration, then they know their password so can change it. If you are using su , once they have root access they can do what they wish unless you restrict them with a tool such as apparmor or selinux

Perhaps you can lock the account and force the new user to set a password at first login.

From

Add this to your script:

passwd -d $user

chage -d0 $user

5

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

What's the point of being lucky?

May 2026

Persona 3 Portable - 10/21 atm, reached tartarus – What do I do?

May 2026

Ability timers increasing when overused

May 2026

How do I complete the "Everyone's A Critic" mission?

May 2026