(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang, the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to tag@lists.linuxgazette.net

There is no guarantee that your questions here will ever be answered. Readers at confidential sites must provide permission to publish. However, you can be published anonymously - just let us know!


(?) Password aging

From Trevor Lauder

Answered Mike Ellis, Ben Okopnik, Heather Stern

How do I disable password aging without the shadow suite?

(!) [Mike Ellis] Are you sure password aging is turned on without the shadow suite? AFAIK, password aging is only supported under Linux when shadow passwords are used. I also believe that most recent (post '99 ???) distributions come with shadow passwords enabled by default, although I've only really played with RedHat and Suse so I may be wrong here.
So - have you got shadow passwords? The easiest way to tell is to look at the password and shadow files. these are both colon-delimited data files. If you don't have shadow passwords enabled, the file /etc/passwd will look like this:
root:HTf2f4YWjnASU:0:0:root:/root:/bin/bash
The first field gives you the user name - I've only quoted the root user here, your password file will have many more users in it, but each line should follow the pattern shown above. The second field contains the users password, encrypted ...
(!) [Ben] Let's go for "... encrypted with the standard Unix 'crypt' function."
There. That's better. When the choice is
a) give extra info that may be unnecessary or
b) shroud everything in mystery as a true High Priest should, I go with the Open Source version...
(!) [Mike Ellis] The remaining fields specify the users UID, GID, real name, home directory and default shell - nothing for password aging.
If you have shadow passwords enabled, the /etc/passwd file will look more like this:
root:x:0:0:root:/root:/bin/bash
Notice that the second field, which used to contain the password crypt, now has the single letter 'x'. The password crypt is now stored in the /etc/shadow file, which might look like this:
root:$1$17yvt96W$HO11W48wZuy0w9cPtQJdt0:11284:0:99999:7:::
Again, the first field gives the user name, and the second is the password crypt. These two examples use different crypt algorithms, hence the different length of the password field - this is not relevant to this discussion.
The remaining fields in the shadow file enable the password aging - according to "man 5 shadow", these fields are (in order)

Days since Jan 1, 1970 that password was last changed
Days before password may be changed
Days after which password must be changed
Days before password is to expire that user is warned
Days after password expires that account is disabled
Days since Jan 1, 1970 that account is disabled
A reserved field
The manual page also reads:
"The date of the last password change is given as the number of days since Jan 1, 1970. The password may not be changed again until the proper number of days have passed, and must be changed after the maximum number of days. If the minimum number of days required is greater than the maximum number of day allowed, this password may not be changed by the user."
So, to disable password aging (as in the example) set the fourth field to zero and the fifth to a large number (e.g. 99999). This says that the password can be changed after no time at all, and must be changed after 274 years, effectively disabling the aging.
(!) [Ben] To actually _disable_ password aging, make all the fields after the fourth one null, i.e.
ben:ShHh!ItSaSeCrEt!:11504:0:::::
If you do that, "chage -l" reports the following:
ben@Baldur:~$ chage -l ben
Minimum:        0
Maximum:        -1
Warning:        -1
Inactive:       -1
Last Change:            Jul 01, 2001
Password Expires:       Never
Password Inactive:      Never
Account Expires:        Never
(!) [Mike Ellis] You can edit the shadow file directly (e.g. using vi/emacs) which is only really recommended for expert users. A safer alternative, although less flexible, is to use a tool to do the work for you, such as the usermod command, or linuxconf. Unfortunately usermod doesn't allow you to disable aging, only to change the dates on which the password expires. linuxconf is better, and should probably be your first port of call unless you are quite experienced.
(!) [Ben] The "proper" tool for modifying "/etc/passwd" and "/etc/shadow" is 'vipw' ("vipw -s" edits "/etc/shadow".) You might want to define the EDITOR variable before using it, though - it uses "vi" by default, and that can be pretty ugly if you're not used to it...
(!) [Heather Stern] I certainly hope Linuxconf has gotten more stable; when it first came out, about half the people I knew who had tried it (to be fair, not very many) had managed to get burned by it - either by major config files eaten if a failure occurred while it was doing something (it wasn't "idempotent" as Debian says, able to be interrupted gracefully), or by features that needed to be tweaked, not being revealed by it or handled incorrectly because the tool's author hadn't thought of them. Like my "doesn't start at 0" address range of less than 255 addresses.
On the other hand, if you edit the file directly you MUST get the number of colons right. Otherwise nobody whose login is described after the line you get wrong, will be able to get in... unless by chance you have more than one wrong, and your other mistakes make them line up properly again, in which case there will be a block of people who cannot login. This can be very hard to debug if you don't know to look for it...
(!) [Mike Ellis] Before attempting any modifications on your system, make sure you've read the manual pages for the password file (man 5 passwd), the shadow file (man 5 shadow) and the usermod command (man usermod). It is quite easy to leave yourself in a situation where it is impossible to log in after one small typo... The examples I've shown are from RedHat systems I happen to have laying around - your system may have a different version of the password system which is subtly different and which blind copying of my examples would break.
Hope it helps!
(!) [Ben] Amen to that. Also, make sure that you have your boot floppy close to hand, or at least know how to boot with the 'single' option.
(!) [Heather] Or at least glance at the "Root password" Tip in this month;s 2c Tips column before making your changes.


This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 70 of Linux Gazette September 2001
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/


[ Table Of Contents ][ Answer Guy Current Index ] greetings   1   2   3   4   5   6   7   8   9   10   11 [ Index of Past Answers ]