299 lines
12 KiB
HTML
299 lines
12 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3F.b">
|
|
<TITLE>The Answer Gang 70: Password aging</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P> <hr>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Gang</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang,
|
|
the Editors of Linux Gazette...
|
|
and You!
|
|
<br>Send questions (or interesting answers) to
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
|
</H4>
|
|
<p><em><font color="#990000">There is no guarantee that your questions
|
|
here will <b>ever</b> be answered. Readers at confidential sites
|
|
must provide permission to publish. However, you can be published
|
|
anonymously - just let us know!
|
|
</font></em></p>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 10 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Password aging</H3>
|
|
|
|
|
|
<p><strong>From Trevor Lauder
|
|
</strong></p>
|
|
<p align="right"><strong>Answered Mike Ellis, Ben Okopnik, Heather Stern
|
|
<br></strong></p>
|
|
<P><STRONG>
|
|
How do I disable password aging without the shadow suite?
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Mike Ellis]
|
|
Are you sure password aging is turned on without the shadow suite? AFAIK,
|
|
password aging is only supported under Linux when shadow passwords are
|
|
used. I also believe that most recent (post '99 ???) distributions come
|
|
with shadow passwords enabled by default, although I've only really played
|
|
with RedHat and Suse so I may be wrong here.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So - have you got shadow passwords? The easiest way to tell is to look at
|
|
the password and shadow files. these are both colon-delimited data files.
|
|
If you don't have shadow passwords enabled, the file <TT>/etc/passwd</TT> will look
|
|
like this:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>root:HTf2f4YWjnASU:0:0:root:/root:/bin/bash
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
The first field gives you the user name - I've only quoted the root user
|
|
here, your password file will have many more users in it, but each line
|
|
should follow the pattern shown above. The second field contains the users
|
|
password, encrypted ...
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben] Let's go for
|
|
"... encrypted with the standard Unix 'crypt' function."
|
|
</BLOCKQuote>
|
|
<BLOCKQUOTE>
|
|
There. That's better. When the choice is <br>a) give extra info that may be
|
|
unnecessary or <br>b) shroud everything in mystery as a true High Priest
|
|
should, I go with the Open Source version...
|
|
</BLOCKQUOTE>
|
|
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Mike Ellis]
|
|
The remaining
|
|
fields specify the users UID, GID, real name, home directory and default
|
|
shell - nothing for password aging.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
If you have shadow passwords enabled, the <TT>/etc/passwd</TT> file will look more
|
|
like this:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>root:x:0:0:root:/root:/bin/bash
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
Notice that the second field, which used to contain the password crypt,
|
|
now has the single letter 'x'. The password crypt is now stored in the
|
|
<TT>/etc/shadow</TT> file, which might look like this:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>root:$1$17yvt96W$HO11W48wZuy0w9cPtQJdt0:11284:0:99999:7:::
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
Again, the first field gives the user name, and the second is the
|
|
password crypt. These two examples use different crypt algorithms, hence
|
|
the different length of the password field - this is not relevant to this
|
|
discussion.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The remaining fields in the shadow file enable the password aging -
|
|
according to "man 5 shadow", these fields are (in order)
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><code><font color="#000033"><br> Days since Jan 1, 1970 that password was last changed
|
|
<br> Days before password may be changed
|
|
<br> Days after which password must be changed
|
|
<br> Days before password is to expire that user is warned
|
|
<br> Days after password expires that account is disabled
|
|
<br> Days since Jan 1, 1970 that account is disabled
|
|
<br> A reserved field
|
|
</font></code></blockquote>
|
|
<BLOCKQUOTE>
|
|
The manual page also reads:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><tt>"The date of the last password change is given as the number of days
|
|
since Jan 1, 1970. The password may not be changed again until the proper
|
|
number of days have passed, and must be changed after the maximum number
|
|
of days. If the minimum number of days required is greater than the
|
|
maximum number of day allowed, this password may not be changed by the
|
|
user."
|
|
</tt></blockquote>
|
|
<BLOCKQUOTE>
|
|
So, to disable password aging (as in the example) set the fourth field to
|
|
zero and the fifth to a large number (e.g. 99999). This says that the
|
|
password can be changed after no time at all, and must be changed after
|
|
274 years, effectively disabling the aging.
|
|
</BLOCKQUOTE>
|
|
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben]
|
|
To actually _disable_ password aging, make all the fields after the fourth
|
|
one null, i.e.
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>ben:ShHh!ItSaSeCrEt!:11504:0:::::
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE><BLOCKQUOTE><CODE>
|
|
If you do that, "chage -l" reports the following:
|
|
</CODE></BLOCKQUOTE></BLOCKQUOTE>
|
|
|
|
<blockquote><pre>ben@Baldur:~$ chage -l ben
|
|
Minimum: 0
|
|
Maximum: -1
|
|
Warning: -1
|
|
Inactive: -1
|
|
Last Change: Jul 01, 2001
|
|
Password Expires: Never
|
|
Password Inactive: Never
|
|
Account Expires: Never
|
|
</pre></blockquote>
|
|
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Mike Ellis]
|
|
You can edit the shadow file
|
|
directly (e.g. using vi/emacs) which is only really recommended for expert
|
|
users. A safer alternative, although less flexible, is to use a tool to
|
|
do the work for you, such as the usermod command, or linuxconf.
|
|
Unfortunately usermod doesn't allow you to disable aging, only to change
|
|
the dates on which the password expires. linuxconf is better, and should
|
|
probably be your first port of call unless you are quite experienced.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben]
|
|
The "proper" tool for modifying "<TT>/etc/passwd</TT>" and "<TT>/etc/shadow</TT>" is
|
|
'vipw' ("vipw -s" edits "<TT>/etc/shadow</TT>".) You might want to define the
|
|
EDITOR variable before using it, though - it uses "vi" by default, and
|
|
that can be pretty ugly if you're not used to it...
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather Stern]
|
|
I certainly hope Linuxconf has gotten more stable; when it first came out,
|
|
about half the people I knew who had tried it (to be fair, not very many)
|
|
had managed to get burned by it - either by major config files eaten if a
|
|
failure occurred while it was doing something (it wasn't "idempotent" as
|
|
Debian says, able to be interrupted gracefully), or by features that needed
|
|
to be tweaked, not being revealed by it or handled incorrectly because the
|
|
tool's author hadn't thought of them. Like my "doesn't start at 0" address
|
|
range of less than 255 addresses.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>On the other hand, if you edit the file directly you
|
|
<strong>MUST</strong> get the number of colons right. Otherwise
|
|
nobody whose login is described after the line you get wrong, will
|
|
be able to get in... unless by chance you have more than one wrong,
|
|
and your other mistakes make them line up properly again, in which
|
|
case there will be a block of people who cannot login. This can
|
|
be very hard to debug if you don't know to look for it...
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Mike Ellis]
|
|
Before attempting any modifications on your system, make sure you've read
|
|
the manual pages for the password file (man 5 passwd), the shadow file
|
|
(man 5 shadow) and the usermod command (man usermod). It is quite easy to
|
|
leave yourself in a situation where it is impossible to log in after one
|
|
small typo... The examples I've shown are from RedHat systems I happen to
|
|
have laying around - your system may have a different version of the
|
|
password system which is subtly different and which blind copying of my
|
|
examples would break.
|
|
</BLOCKQUOTE>
|
|
|
|
<BLOCKQUOTE>
|
|
Hope it helps!
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben]
|
|
Amen to that. Also, make sure that you have your boot floppy close to
|
|
hand, or at least know how to boot with the 'single' option.
|
|
</BLOCKQUOTE>
|
|
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather]
|
|
Or at least glance at the "Root password" Tip in this month;s 2c Tips
|
|
column before making your changes.
|
|
</BLOCKQUOTE>
|
|
<!-- end 10 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> </p>
|
|
<!-- *** BEGIN copyright *** -->
|
|
<H5 align="center">This page edited and maintained by the Editors
|
|
of <I>Linux Gazette</I>
|
|
<a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2001
|
|
<BR>Published in issue 70 of <I>Linux Gazette</I> September 2001</H5>
|
|
<H6 ALIGN="center">HTML script maintained by
|
|
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H6>
|
|
<!-- *** END copyright *** -->
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
|
|
><A HREF="..//"
|
|
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
|
|
ALT="[ Table Of Contents ]" border="0"></A
|
|
><A HREF="../lg_answer70.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer70.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
<A HREF="10.html">10</A>
|
|
<A HREF="11.html">11</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A
|
|
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|