However, root can change any user's password without knowing the old one hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.Ī user normally needs to know their current password to change it to a different password. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. In your setup, the user's password would be used only for authentication to sudo. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned their console and been hijacked. Sudo, in its most common configuration, requires the user to type their password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |