LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue70/tag/10.html

299 lines
12 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3F.b">
<TITLE>The Answer Gang 70: Password aging</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P> <hr>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Gang</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang,
the Editors of Linux Gazette...
and You!
<br>Send questions (or interesting answers) to
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
</H4>
<p><em><font color="#990000">There is no guarantee that your questions
here will <b>ever</b> be answered. Readers at confidential sites
must provide permission to publish. However, you can be published
anonymously - just let us know!
</font></em></p>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 10 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Password aging</H3>
<p><strong>From Trevor Lauder
</strong></p>
<p align="right"><strong>Answered Mike Ellis, Ben Okopnik, Heather Stern
<br></strong></p>
<P><STRONG>
How do I disable password aging without the shadow suite?
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Mike Ellis]
Are you sure password aging is turned on without the shadow suite? AFAIK,
password aging is only supported under Linux when shadow passwords are
used. I also believe that most recent (post '99 ???) distributions come
with shadow passwords enabled by default, although I've only really played
with RedHat and Suse so I may be wrong here.
</BLOCKQUOTE>
<BLOCKQUOTE>
So - have you got shadow passwords? The easiest way to tell is to look at
the password and shadow files. these are both colon-delimited data files.
If you don't have shadow passwords enabled, the file <TT>/etc/passwd</TT> will look
like this:
</BLOCKQUOTE>
<blockquote><pre>root:HTf2f4YWjnASU:0:0:root:/root:/bin/bash
</pre></blockquote>
<BLOCKQUOTE>
The first field gives you the user name - I've only quoted the root user
here, your password file will have many more users in it, but each line
should follow the pattern shown above. The second field contains the users
password, encrypted ...
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben] Let's go for
"... encrypted with the standard Unix 'crypt' function."
</BLOCKQuote>
<BLOCKQUOTE>
There. That's better. When the choice is <br>a) give extra info that may be
unnecessary or <br>b) shroud everything in mystery as a true High Priest
should, I go with the Open Source version...
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Mike Ellis]
The remaining
fields specify the users UID, GID, real name, home directory and default
shell - nothing for password aging.
</BLOCKQUOTE>
<BLOCKQUOTE>
If you have shadow passwords enabled, the <TT>/etc/passwd</TT> file will look more
like this:
</BLOCKQUOTE>
<blockquote><pre>root:x:0:0:root:/root:/bin/bash
</pre></blockquote>
<BLOCKQUOTE>
Notice that the second field, which used to contain the password crypt,
now has the single letter 'x'. The password crypt is now stored in the
<TT>/etc/shadow</TT> file, which might look like this:
</BLOCKQUOTE>
<blockquote><pre>root:$1$17yvt96W$HO11W48wZuy0w9cPtQJdt0:11284:0:99999:7:::
</pre></blockquote>
<BLOCKQUOTE>
Again, the first field gives the user name, and the second is the
password crypt. These two examples use different crypt algorithms, hence
the different length of the password field - this is not relevant to this
discussion.
</BLOCKQUOTE>
<BLOCKQUOTE>
The remaining fields in the shadow file enable the password aging -
according to "man 5 shadow", these fields are (in order)
</BLOCKQUOTE>
<blockquote><code><font color="#000033"><br> Days since Jan 1, 1970 that password was last changed
<br> Days before password may be changed
<br> Days after which password must be changed
<br> Days before password is to expire that user is warned
<br> Days after password expires that account is disabled
<br> Days since Jan 1, 1970 that account is disabled
<br> A reserved field
</font></code></blockquote>
<BLOCKQUOTE>
The manual page also reads:
</BLOCKQUOTE>
<blockquote><tt>"The date of the last password change is given as the number of days
since Jan 1, 1970. The password may not be changed again until the proper
number of days have passed, and must be changed after the maximum number
of days. If the minimum number of days required is greater than the
maximum number of day allowed, this password may not be changed by the
user."
</tt></blockquote>
<BLOCKQUOTE>
So, to disable password aging (as in the example) set the fourth field to
zero and the fifth to a large number (e.g. 99999). This says that the
password can be changed after no time at all, and must be changed after
274 years, effectively disabling the aging.
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben]
To actually _disable_ password aging, make all the fields after the fourth
one null, i.e.
</BLOCKQUOTE>
<blockquote><pre>ben:ShHh!ItSaSeCrEt!:11504:0:::::
</pre></blockquote>
<BLOCKQUOTE><BLOCKQUOTE><CODE>
If you do that, "chage -l" reports the following:
</CODE></BLOCKQUOTE></BLOCKQUOTE>
<blockquote><pre>ben@Baldur:~$ chage -l ben
Minimum: 0
Maximum: -1
Warning: -1
Inactive: -1
Last Change: Jul 01, 2001
Password Expires: Never
Password Inactive: Never
Account Expires: Never
</pre></blockquote>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Mike Ellis]
You can edit the shadow file
directly (e.g. using vi/emacs) which is only really recommended for expert
users. A safer alternative, although less flexible, is to use a tool to
do the work for you, such as the usermod command, or linuxconf.
Unfortunately usermod doesn't allow you to disable aging, only to change
the dates on which the password expires. linuxconf is better, and should
probably be your first port of call unless you are quite experienced.
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben]
The "proper" tool for modifying "<TT>/etc/passwd</TT>" and "<TT>/etc/shadow</TT>" is
'vipw' ("vipw -s" edits "<TT>/etc/shadow</TT>".) You might want to define the
EDITOR variable before using it, though - it uses "vi" by default, and
that can be pretty ugly if you're not used to it...
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Heather Stern]
I certainly hope Linuxconf has gotten more stable; when it first came out,
about half the people I knew who had tried it (to be fair, not very many)
had managed to get burned by it - either by major config files eaten if a
failure occurred while it was doing something (it wasn't "idempotent" as
Debian says, able to be interrupted gracefully), or by features that needed
to be tweaked, not being revealed by it or handled incorrectly because the
tool's author hadn't thought of them. Like my "doesn't start at 0" address
range of less than 255 addresses.
</BLOCKQUOTE>
<BLOCKQUOTE>On the other hand, if you edit the file directly you
<strong>MUST</strong> get the number of colons right. Otherwise
nobody whose login is described after the line you get wrong, will
be able to get in... unless by chance you have more than one wrong,
and your other mistakes make them line up properly again, in which
case there will be a block of people who cannot login. This can
be very hard to debug if you don't know to look for it...
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Mike Ellis]
Before attempting any modifications on your system, make sure you've read
the manual pages for the password file (man 5 passwd), the shadow file
(man 5 shadow) and the usermod command (man usermod). It is quite easy to
leave yourself in a situation where it is impossible to log in after one
small typo... The examples I've shown are from RedHat systems I happen to
have laying around - your system may have a different version of the
password system which is subtly different and which blind copying of my
examples would break.
</BLOCKQUOTE>
<BLOCKQUOTE>
Hope it helps!
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben]
Amen to that. Also, make sure that you have your boot floppy close to
hand, or at least know how to boot with the 'single' option.
</BLOCKQUOTE>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Heather]
Or at least glance at the "Root password" Tip in this month;s 2c Tips
column before making your changes.
</BLOCKQUOTE>
<!-- end 10 -->
<!--startcut ======================================================= -->
<P> <hr> </p>
<!-- *** BEGIN copyright *** -->
<H5 align="center">This page edited and maintained by the Editors
of <I>Linux Gazette</I>
<a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 2001
<BR>Published in issue 70 of <I>Linux Gazette</I> September 2001</H5>
<H6 ALIGN="center">HTML script maintained by
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H6>
<!-- *** END copyright *** -->
<P> <hr>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
><A HREF="..//"
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
ALT="[ Table Of Contents ]" border="0"></A
><A HREF="../lg_answer70.html"
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer70.html#greeting"><img align="middle"
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
<A HREF="1.html">1</A> &nbsp;
<A HREF="2.html">2</A> &nbsp;
<A HREF="3.html">3</A> &nbsp;
<A HREF="4.html">4</A> &nbsp;
<A HREF="5.html">5</A> &nbsp;
<A HREF="6.html">6</A> &nbsp;
<A HREF="7.html">7</A> &nbsp;
<A HREF="8.html">8</A> &nbsp;
<A HREF="9.html">9</A> &nbsp;
<A HREF="10.html">10</A> &nbsp;
<A HREF="11.html">11</A>
</td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
ALT="[ Index of Past Answers ]" border="0"></A
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink