How I can set multiple password for a specific user in manjaro?

Support
1

Hi,
I want to able login with multiple password in my user account in manjaro os,
How I can set multiple password for a specific user??

2

Hi @rezarezaeedev, and welcome!

At first I thought you couldn’t. Then I searched a bit and came across this answer:

Yes, although quite uncommon, this is definitely doable.

Instead of trying to implement it yourself as the default /etc/password /etc/shadow based authentication method has no provision for such a configuration, the simpler way is to delegate authentication to a back-end that already supports multiple password for a user.

A well known one is LDAP which userPassword attribute is multivalued according to RFC4519:

An example of a need for multiple values in the ‘userPassword’ attribute is an environment where every month the user is expected to use a different password generated by some automated system. During transitional periods, like the last and first day of the periods, it may be necessary to allow two passwords for the two consecutive periods to be valid in the system.

Despite this RFC, you’ll likely need to change the password policy configuration on most directory server implementations for this setting to be actually accepted.

On the Linux side, nothing forbids to do it (here an account named testuser was given both pass1 and pass2 as userPassword attribute values):

$ uname -a
Linux lx-vb 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ grep VERSION /etc/os-release
VERSION="13.04, Raring Ringtail"
$ grep "^passwd" /etc/nsswitch.conf 
passwd: files ldap
$ ldapsearch -LLL -h localhost -p 1389 -D "cn=directory manager" -w xxxxxxxx "uid=testuser" userPassword
dn: uid=testuser,ou=People,dc=example,dc=com
userPassword::
e1NTSEF9b2JWYXFDcjhNQmNJVXZXVHMzbE40SFlReStldC9XNFZ0NU4yRmc9PQ==
userPassword::
e1NTSEF9eDlnRGZ5b0NhKzNROTIzOTFha1NiR2VTMFJabjNKSWYyNkN3cUE9PQ==
$ grep testuser /etc/passwd
$ getent passwd testuser
testuser:*:12345:12345:ldap test user:/home/testuser:/bin/sh
$ sshpass -p pass1 ssh testuser@localhost id
uid=12345(testuser) gid=12345 groups=12345
$ sshpass -p pass2 ssh testuser@localhost id
uid=12345(testuser) gid=12345 groups=12345
$ sshpass -p pass3 ssh testuser@localhost id
Permission denied, please try again.

Here are some technical and security related implications of that kind of configuration:

  • the user account will obviously be more vulnerable to attacks although what really matters here is the quality and protection of the passwords more than their numbers.
  • most utilities assume the user has a single password so won’t allow a user to individually update one of the passwords. Password change will then likely result in a single password attribute for the user.
  • if the goal is to allow multiple people to share the same account using each one their own password, there is no mechanism to identify who actually log in based on the password used.

But I’m thinking this is a case of just because you could, doesn’t mean you should.

5 Likes