SSH tunnel server, no shell but still able to change pw?

I have an SSH tunnel server that some people at work are using instead of a vpn since it's much nicer and simpler.

I don't want to give the users shells at all but I still want them to be able to change their own passwords.

At the moment, they just execute /bin/cat so their session stays open but they cannot get any shell or input any commands.

I am thinking about perhaps making chroots for them instead in which case they can have a shell that has basically no view or access to anything, but I still want them to be able to change their passwords, however if they are in a jail then they cannot get access to the /etc/ files to change their pw.

Any ideas?

Is there any reason why you can't create a shell that only allows access to one's home directory and at the same time allows the passwd command?

They're going to have to have a shell to be able to do anything. I kind of wonder if Don is on the right path here. If you like a SGID thing or something so that they can't have ant read write or execute stuff outside of their own home directory. And then only give them privilages to execute /usr/bin/passwd and nothing else.

Would that be the right thing to do? I'm stressing out because my RHCT test starts in about an hour and a half.

removing permissions from other files seems very poor thing to do, you have to be able to read some files just to use a *nix system and I don't want people poking around or enumerating anything.

Making a restricted shell is risky by design I think. I'd use an official one but am not going to write one myself as it may be more difficult to get right than it first appears.

btw, good luck with your test!

I barely failed it. There was just one teeny tiny little detail in the troubleshooting part that I just couldn't freaking get to stay after my reboot. And on the troubleshooting part everything has to be completed to pass the entire test, so that kind of killed me. So I guess it's back to Denver in a few weeks!

I don't know how involved you wish to get, but you could set up a web service which authenticates over SSL only, using that username/password combination. Set up a PHP to some local script to change the password upon authentication.

Therein, your users can change their own passwords via this web interface and you are able to alter the code to include previous password checking, degree of difficulty, etc. at your whim without impacting the userbase directly.

That also means they no longer require logins.

Just a thought.

could do but I think I'll just go and integrate it with AD and be done with it, it would be much simpler...