ML mail wrote:
> Bob Proulx wrote:
> > It is the state of an expired password that is a problem.
> > ...
> > What does this say? Example from a system of mine.
> >
> > $ passwd --status root
> > root P 05/01/2010 0 99999 7 -1
> The result of running passwd --status tells me that the password
> needs to be changed as actually I had in my /etc/shadow file only a
> "!" as password in order to safely disable the root account.
That is not what it said. What did it say? Don't paraphrase. Copy
and paste the result verbatim.
When you looked at the status the password it was expired, right?
The date field said "01/01/1970" didn't it?
> It looks like this is not compatible with the cron.d system.
That is not correct. As I said it is because you have set root to
have an *expired* account. So far nothing you have said offered any
evidence that it was anything different.
> I have changed the password and then locked the account (passwd -l)
> and now it works.
When you changed the password it reset the expiration. That was the
critical part. It was no longer expired. Whew! That is the part
that allowed everything to work.
Then locking the account placed an impossible to match character into
the password field. Traditionally the '*' and '!' are the characters
used for this. Most greybeard unix hackers will always use '*' there
but the password program uses '!' specifically to distinguish manual
modifications from programatic modifications. If you see '*' then a
human did it. If you see '!' then the passwd program did it. That
was the plan anyway. Humans can put '!' there if they want. The
result is the same.
> The thing is that I wanted to remove the password from the
> /etc/shadow file as with the lock option the password is still there
> but with a "!" before it.
Then remove the password. It is good if there isn't any time when
root has no password even if that time were short. Use the passwd
command ('passwd -d -r root') to do both operations for you.
# grep ^root: /etc/shadow
root:!:15616:0:99999:7:::
# grep ^root: /etc/shadow
root:!:0:0:99999:7:::
That shows the bad case. The password is "expired". The 0 in the
date of password change field indicates that the account must change
the password before being allowed to log in again.
# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# grep ^root: /etc/shadow
root:$6$23Bv5nXR$8JWwl8.Dk2xTT7KN7jyloWUfT7ikTAmTIEpeeyfMPHVrOrOwndyTfK.x50yEM.gEvm47RPZ53JhT3ved5EQRs1:16474:0:99999:7:::
Password expiration has now been reset. The 16474 number in the date
field. 16474 days since Jan 1, 1970.
# passwd -d -l root
passwd: password expiry information changed.
# grep ^root: /etc/shadow
root:!:16474:0:99999:7:::
The password has been removed and the account has been locked by
having an impossible to match character placed in the password field.
But the account
Bob
Attachment:
signature.asc
Description: Digital signature