> However, I now have the problem of allowing users setting and
> modifying their own passwords (perhaps even their usernames) without
> giving them ssh access to the host.
It will be a bit more tricky if you want them to be able to change
their usernames and such, but it's possible to modify sshd to force a
command for a specific group.
For instance if you create a group 'passwdonly', add the users to it,
and place a:
Match Group passwdonly
ForceCommand /usr/bin/passwd
At the bottom of /etc/ssh/sshd_config it makes the only thing they can
do when they SSH is to be able to change their password.
If you have password authentication turned off you can turn it on for
that specific group as well.
You can also write a custom script to prompt them for what they wish to
do, change their username and such and force that to be the command.
> I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP
> and Dovecot. The users will be the Unix users on the VPS for
> simplicity.
In this instance, if you wish to expose a web interface for changing
of usernames and passwords, going with virtual users backed by
a SQL database may be easier and less likely to compromise the host.
I know you had mentioned not having a lot of experience in this area,
but if it's a hobby the bit of programming involved may be fun.
I hope this helps.
--
Mitch Riedstra
