I want to able login with multiple password in my user account in manjaro os,
How I can set multiple password for a specific user??
Hi @rezarezaeedev, and welcome!
Yes, although quite uncommon, this is definitely doable.
Instead of trying to implement it yourself as the default
/etc/shadowbased authentication method has no provision for such a configuration, the simpler way is to delegate authentication to a back-end that already supports multiple password for a user.
An example of a need for multiple values in the ‘userPassword’ attribute is an environment where every month the user is expected to use a different password generated by some automated system. During transitional periods, like the last and first day of the periods, it may be necessary to allow two passwords for the two consecutive periods to be valid in the system.
Despite this RFC, you’ll likely need to change the password policy configuration on most directory server implementations for this setting to be actually accepted.
On the Linux side, nothing forbids to do it (here an account named
testuserwas given both
$ uname -a Linux lx-vb 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux $ grep VERSION /etc/os-release VERSION="13.04, Raring Ringtail" $ grep "^passwd" /etc/nsswitch.conf passwd: files ldap $ ldapsearch -LLL -h localhost -p 1389 -D "cn=directory manager" -w xxxxxxxx "uid=testuser" userPassword dn: uid=testuser,ou=People,dc=example,dc=com userPassword:: e1NTSEF9b2JWYXFDcjhNQmNJVXZXVHMzbE40SFlReStldC9XNFZ0NU4yRmc9PQ== userPassword:: e1NTSEF9eDlnRGZ5b0NhKzNROTIzOTFha1NiR2VTMFJabjNKSWYyNkN3cUE9PQ== $ grep testuser /etc/passwd $ getent passwd testuser testuser:*:12345:12345:ldap test user:/home/testuser:/bin/sh $ sshpass -p pass1 ssh testuser@localhost id uid=12345(testuser) gid=12345 groups=12345 $ sshpass -p pass2 ssh testuser@localhost id uid=12345(testuser) gid=12345 groups=12345 $ sshpass -p pass3 ssh testuser@localhost id Permission denied, please try again.
Here are some technical and security related implications of that kind of configuration:
- the user account will obviously be more vulnerable to attacks although what really matters here is the quality and protection of the passwords more than their numbers.
- most utilities assume the user has a single password so won’t allow a user to individually update one of the passwords. Password change will then likely result in a single password attribute for the user.
- if the goal is to allow multiple people to share the same account using each one their own password, there is no mechanism to identify who actually log in based on the password used.
But I’m thinking this is a case of just because you could, doesn’t mean you should.