Can a linux user change their password without knowing the current password?

Sudo, in its most common configuration, requires the user to type their password. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned their console and been hijacked.

In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.

A user normally needs to know their current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.

You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.

You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.


You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry

auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

before the other auth (or include) entries in /etc/pam.d/sudo

and

Defaults    env_keep += "SSH_AUTH_SOCK"

to /etc/sudoers (via visudo).

Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.


Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.

Basically, you do the following:

$ sudo -i

Now, we are root. We have access to everything.

# passwd $username

$username can be anyone's username.

Enter new UNIX password:

Retype new UNIX password: passwd: password updated successfully

Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.