On Tue, 13 Apr 2010, Andrew Berg wrote:

> On 4/13/2010 2:03 PM, Mike Miller wrote:
>> You could have it run the passwd program immediately after the user logs
>> in.  Then it exits.  That's all it does.  I don't know how you'd make a
>> web interface do this.
>
> Someone suggested allowing ssh access and using /usr/bin/passwd as the 
> default shell off-list and it turns out not having /bin/false in 
> /etc/shells (I thought it was) was the reason users couldn't log in 
> before. I tried setting a test user's shell to /usr/bin/passwd and it 
> does exactly what you describe. The most damage an attacker could do 
> here is change the password of the compromised account.


That's very cool.  Good to know.

I remember that there used to be a java applet that would do ssh -- called 
MindTerm -- but I guess it is proprietary.  Is there any free software 
that could be used for this kind of thing and embedded in a web page?

Mike