What is the correct way to allow accounts without passwords to chsh?

Question

I hope I have phrased this question correctly, it's a bit of an odd one.

I have an Ubuntu 18.04 host with many users on it. All of the users log into their account on the host via SSH public key. All accounts have no password. This means that the /etc/shadow entry for every user is !. (I do not mean to imply that any account has an empty password, which would mean anyone could enter a username and then hit Enter at the password prompt to log in. An account with no password and an account with an empty password are very different things!)

With this situation, users are unable to set a password for their account with passwd because changing your password requires entering the current one which they can't do. This is actually fine.

However, another thing they can't do is change their shell because doing this requires entering a password, which the accounts don't have.

One solution I found suggests replacing required with sufficient in this line in /etc/pam.d/cshs:

# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth       required   pam_shells.so

This works but my concerns with this are:

1. I don't understand why this works in my case because users' shells are already in /etc/shells. So why does modifying this suddenly allow users to use chsh without a password? (To be clear, in all cases, the users' current shells and desired shells are both listed in /etc/shells.)
2. I don't necessarily want service accounts to be able to change their own service-specific shells although this isn't quite as important.

I feel like this is something than can be solved by PAM in a more elegant way, somehow.

Answer 1

That change works, to some extent, but your first concern is because it works somewhat inadvertently. A required control for PAM auth checks something, then, if the check succeeds, moves to the next check. A sufficient control checks something, and if the check succeeds (and no previous check has failed), immediately has PAM succeed. Thus, it isn't whether the shell is in /etc/shells that matters in your case. The shells are always there, and the check always succeeds: changing required to sufficient means that that success skips everything later, including the password entry.

So, to have more reasonable chsh access, all you need to do is keep pam_shells.so as required, and add some other check after it, with that check being sufficient. Some options include:

• Allow passwordless changes if the user is not a system user: auth sufficient pam_usertype.so isregular (see the pam_usertype.so manpage for how it decides on the user type).
• Allow passwordless changes if the user is in the users group: auth sufficient pam_wheel.so trust group=users (adapted from here).