David Aldridge
asked on
User keeps getting asked for a new password
On a Linux server, I have a user that keeps getting asked for a new password. I have tried chage -E and that doesn't work. When I run passwd -S I get the epoch date and can't figure out how to change it. Here's what it looks like:
servername:/root# passwd -S username
username PS 1969-12-31 0 90 7 -1 (Password set, SHA512 crypt.)
I think it's a pam issue, but I don't know the command and haven't been able to google it.
Thanks,
David
servername:/root# passwd -S username
username PS 1969-12-31 0 90 7 -1 (Password set, SHA512 crypt.)
I think it's a pam issue, but I don't know the command and haven't been able to google it.
Thanks,
David
ASKER
I've tried pam_tally2 --user=username --reset
That doesn't work either.
Thanks!
David
That doesn't work either.
Thanks!
David
ASKER
servername:/root# chage -l username
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
If the password change date is 31st dec 1969 and max change period is 90 days, then it IS expired.
A change of password should also update the last change date.
pam should handle that also.
It is done using the password entries in pam modules.
The starting point would be /etc/pam.d/passwd
A change of password should also update the last change date.
pam should handle that also.
It is done using the password entries in pam modules.
The starting point would be /etc/pam.d/passwd
ASKER
Everyone else is working fine. It's just this one ID.
Does the system have local account & ldap or other authentication services?
That might confuse some things. Kerberos has different settings for passwords as other systems f.e.
(Kerberos only manages a password nothing else..., but keeps the password separated).
Extended question: does this user have account in multiple profiles?
That might confuse some things. Kerberos has different settings for passwords as other systems f.e.
(Kerberos only manages a password nothing else..., but keeps the password separated).
Extended question: does this user have account in multiple profiles?
ASKER
Only local, and no, they don't have multiple profiles.
Then a passwd command entered by the user Should change the password and it's last change date in /etc/shadow.
Assuming the password entries do allow for the password. (not too trivial, does not match username, pervious password etc. etc. depending on checks in the pam password module path.)
Assuming the password entries do allow for the password. (not too trivial, does not match username, pervious password etc. etc. depending on checks in the pam password module path.)
ASKER
I tried completely deleting the account and adding it again and it's still keeps saying the password is expired.
What does
chage -l username
show now??
ASKER
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Have you tried creating a totally different (new) user to see what the results were??
ASKER
Here's the whole thing.
[username@servername ~]$ passwd
Changing password for user username.
Changing password for username.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[username@servername ~]$ chage -l username
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Of course the server name and use rname have been changed to protect the innocent.
[username@servername ~]$ passwd
Changing password for user username.
Changing password for username.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[username@servername ~]$ chage -l username
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Of course the server name and use rname have been changed to protect the innocent.
ASKER
It creates a new one just fine.
servername:/root# useradd -g 200 -d /home/testuser -m -c "Test User" testuser
servername:/root# passwd testuser
Changing password for user testuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
servername:/root# chage -l testuser
Last password change : Oct 08, 2019
Password expires : Jan 06, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
servername:/root# useradd -g 200 -d /home/testuser -m -c "Test User" testuser
servername:/root# passwd testuser
Changing password for user testuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
servername:/root# chage -l testuser
Last password change : Oct 08, 2019
Password expires : Jan 06, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
What does
(user = locked user account)
grep user /etc/shadow
give you(user = locked user account)
ASKER
username:$6$b/dHbVv1$WMUyC 2zMZBGpXsF .hAJz7iYsF lYFGHiIUGY ipXQKkUnt. cOS4nGBQjm urdp9xo7zq Xc6I7e8G.e BEftuzUIva .:0:0:90:7 :::
Not locked
Not locked
ASKER
I finally found it on google. I had to use usermod -e 2020-01-18 username. After that, it let me change the password and it stayed.
Last password change : Oct 08, 2019
Password expires : Jan 06, 2020
Password inactive : never
Account expires : Jan 18, 2020
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Last password change : Oct 08, 2019
Password expires : Jan 06, 2020
Password inactive : never
Account expires : Jan 18, 2020
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Okay
Try
With luck it'll unlock the account
Try
chage -I -1 username
With luck it'll unlock the account
Nice!
I should have refreshed the page before posting though ;)
I should have refreshed the page before posting though ;)
ASKER
Thanks, guys.
Now you introduced another Problem: this account cannot login AFTER jan 18 2020....
because the account has been expired.
So jan dec 31 a warning will be given of password expiration, jan 6 the password will be expired and after jan 18 the account cannot be used anymore.....
In /etc/shadow there is a huge difference if the lass-password-change field is 0 or empty...
0 means expired = shows as 01-jan-1970 (1970-01-01) in passwd -S
empty means do not handle password expiration.... ( so no change of password expiaration is recorded). shown as 31 dec 1969 ( 1969-12-31 ) (date -1 ... ) in passwd -S
Any other value is the days of the last password change since EPOCH 1-jan-1970, (1970-01-01).
because the account has been expired.
So jan dec 31 a warning will be given of password expiration, jan 6 the password will be expired and after jan 18 the account cannot be used anymore.....
In /etc/shadow there is a huge difference if the lass-password-change field is 0 or empty...
0 means expired = shows as 01-jan-1970 (1970-01-01) in passwd -S
empty means do not handle password expiration.... ( so no change of password expiaration is recorded). shown as 31 dec 1969 ( 1969-12-31 ) (date -1 ... ) in passwd -S
Any other value is the days of the last password change since EPOCH 1-jan-1970, (1970-01-01).
ASKER
I was able to change that. Now it's:
Account expires : Oct 16, 2243
That should take care of him :)
Account expires : Oct 16, 2243
That should take care of him :)
Account expires : Oct 16, 2243
?? Why not just do away with account expiration. 243 years sort of makes it pointless lol
ASKER
I actually thought I did by setting it to 99999, but it changed the date. I thought it was strange, but after I got it to work I didn't want to mess with it anymore.
chage -E -1 (-one not el) will disable expiration.
chage -d 2019-10-08 user would have set the change date to today.
See: man chage, man passwd
Also: man 5 shadow
chage -d 2019-10-08 user would have set the change date to today.
See: man chage, man passwd
Also: man 5 shadow
but after I got it to work I didn't want to mess with it anymore.
I'm with ya... ;)
ASKER
servername:/root# chage -E -1 username
servername:/root# chage -d 90 username
But nothing changes. I still get:
servername:/root# passwd -S username
username PS 1969-12-31 0 90 7 -1 (Password set, SHA512 crypt.)