On Mon, Apr 07, 2003 at 07:01:22PM -0500, WideGlide@MyRealBox.com wrote:
* Avi Schwartz
[04-07-03 17:16]: In Linux you can use the -e parameter to expire the password immediately and force the user to change the password on the next login.
Will not help in this case. User has forgotten his password.
Well, it will, sort of. Basically, you can retrieve a password from the system. However, it takes quite a long time, since it basically involves a brute force attack by trying every possible value until you find one that works. If you've configured the system to use one of the more secure types of password (e.g. MD5), then it's much more difficult, and takes a lot more CPU power (possibly so much that it's impractical). There are shortcuts, such as trying dictionary words (and permutations thereof), birthdays, names, etc. first, but this is still a 'brute force' attack, albeit slightly more intelligent. The correct way to do this is as mentioned above. Make up a new password for the user, and give it to them. Log in as root, and change their password to this new value, but use the -e option to force it to expire immediately. They can then log in using the password you've just given them, but they have to change it straight away. That way, only *they* end up knowing their own password - you don't need to know it yourself, since you can su to their username from root without a password. If you're looking for speed, then you should just set a new password. trying to get back the old one will (should) take a long time. If you can crack their password very quickly, you need to educate your users to use more secure passwords. HTH... -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2