I am struggeling with an error in REHL 7.
I have a REHL Image witch is accessible only over SSH key without user/password credentials.
To prevent the password renew process after 90 days (which is not possible with SSH key) I added the no_pass_expiry in my etc/pam.d/password-auth
but then i receive the following error when i try to sudo
pam.d]$ sudo su -
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
this only occures after the 90 day.
Your password is probably expired. for example... here's sudo with an expired user:
[user#server ~]$ sudo whoami
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
[user#server ~]$
[user#server ~]$ chage -l user
Last password change : May 07, 2018
Password expires : Aug 05, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 10
Now, as shown, after reseting the expiration flag, sudo works as expected:
[root#server]# chage -m 0 -M 99999 -I -1 -E -1 user
[root#server]# chage -l user
Last password change : May 07, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 10
[user#server ~]$ sudo whoami
root
You can confirm that on /var/log/secure by checking for similar messages as the ones listed below:
Feb 27 16:59:14 server sudo: pam_unix(sudo:account): expired password for user user (password aged)
Feb 27 16:59:14 server sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=anotheruser ; COMMAND=/usr/bin/whoami
Make sure if SELinux is enforcing, that /etc/shadow has the right context label. Running restorecon /etc/shadow will remedy this.
Related
I have used Oracle Linux7.7 OS and i had created user with name oracle, my question is that while i am trying to login using
$ su - oracle
After enter successful logged in but some warning occur
Last login: Thu Nov 28 16:40:36 IST 2019 on pts/0
bash: tart: command not found...
Similar command is: 'tar'
How to fixed it?
You are using the wrong command - hyphens should not be used.
Please use the following command to login with oracle username:
$ su oracle
i have below commands am using it for removing expire date for my user at unix it's working but for linux it's not working below example is for unix if anyone have a linux command like this i'll be thankful
root#servername>passwd -s user
user PS 05/13/15 84
root#servername>passwd -x -1 user
passwd: password information changed for user
before
username:$md5$Dtj/7tJf$$VY7qJE2us6ODX/2xLUGAS:16568::84::::
after
username:$md5$Dtj/7tJf$$VY7qJE2us6ODX/2xLUGAS:16548::::::
You need the usermod command:
usermod -e -1 $USER
Where -1 serves as the argument to -e.
To remove the expire date.
The expiration date parameter can be empty. (but not missing when the -e option is used) The -e, --expiredate EXPIRE_DATE option is described as follows in man 8 usermod:
An empty EXPIRE_DATE argument will disable the expiration of the
account.
The issue being on how you interpret "empty". Both forms, -e or --expiredate= will accept an empty argument. Those being:
-e ''
or
--expiredate=
With thanks to #alx
chage -I -1 -m 0 -M 99999 -E -1 username
One of our user is on leave for few days
and I want to stop him accessing the systems for these days ..
should I
Add * to his encrypted password
or delete the user from etc /password file
or Remove the user encrypted password
or rename username to root
or set his userID to -1
Which option should i go for out of the above
It's for an access to a Linux system (Ubuntu). Not sure where you found those listed options, but in general try to use the system's tools to manage the system.
Simply lock the account:
sudo passwd -l [user_name]
Alternatively you can put an expire date on the account:
sudo passwd -e YYYY-MM-DD [user_name]
To unlock a locked account:
sudo passwd -u [username]
When I try to log in as root, the system show:
"Login incorrect", I'm sure my password is correct, but just in case I decide to use single mode to reset it. But no help.
Then I change the following 2 files
/etc/passwd
root:x:0:0:root:/root:/bin/bash
to
root::0:0:root:/root:/bin/bash
also /etc/shadow
root:$2a$05$sin5i458ghsdfg8076t5ymp4y;jgslkdbvffd bshmRK:12856:0:10000::::
to
root::::
But no help. When I trying to: chage -l root
system return: "chage: user 'root' does not exist in /etc/passwd"
I have already check the permission of passwd and shadow
they are:
passwd: -rw-r--r-- 1 root root 1721 Oct 2 10:47
shadow: ---------- 1 root root 2026 Oct 2 10:47
Please help find the account root back
PS: when I restart CentOS, there are some error I think I should post here:
Starting udev: /bin/chown: invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:disk'
/bin/chown : invalid user: 'root:lp'
/bin/chown : invalid user: 'root:lp'
/bin/chown : invalid user: 'root:lp'
/bin/chown : invalid user: 'root:lp'
So, this issue has been solved by Cyrus's comment:
Make a copy of passwd and shadow, remove in passwd and shadow both lines of user root (UID=0 and UID=222) and create a new user root: useradd -c root -d /root -u 0 -g root -G bin,daemon,sys,adm,disk,wheel -o -M -s /bin/bash root and try to set a password.
Thanks a lot!
Make a copy of passwd and shadow, remove in passwd and shadow both lines of user root (UID=0 and UID=222) and create a new user root: useradd -c root -d /root -u 0 -g root -G bin,daemon,sys,adm,disk,wheel -o -M -s /bin/bash root and try to set a password.
Answered by Cyrus
I am configuring the ssh server on my raspberry pi so that it only supports key-based authentication.
I have created a user on the server and set up the ~/.ssh directory with my public key and correct permissions.
The user is currently marked as 'locked' because it does not have a password. This causes openssh to refuse the connection.
# /var/log/auth.log
Aug 9 09:05:26 raspberrypi sshd[6875]: User foo not allowed because account is locked
Aug 9 09:05:26 raspberrypi sshd[6875]: input_userauth_request: invalid user foo [preauth]
Aug 9 09:05:26 raspberrypi sshd[6875]: Connection closed by 192.168.0.4 [preauth]
Ideally, I don't want a password. I have already authenticated via PKI.
Perhaps I could set the password to 'password', or a random string - but that seems messy.
Any recommendations?
EDIT:
Just to clarify, my account is locked because it doesn't have a password, i.e.
$ passwd -u foo
passwd: unlocking the password would result in a passwordless account.
You should set a password with usermod -p to unlock the password of this account.
Petesh solution is correct:
usermod -p '*' foo
From the man page for shadow:
"If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means)."
No, it's telling you the account is locked, not that it doesn't have a password. You lock and account to prevent people from logging in using that account; even via SSH. You generally can only switch to a locked account using su or sudo.
The rules are described in the shadow manual page which says:
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
The logic is * will never match a password, but doesn't mean locked, while ! means locked.
This encrypted password is stored, generally, in the shadow file and can be changed using the passwd command or the usermod command. If you wish to change the password to one that doesn't work, then you can change to one starting with *, which will never match a password, so, for example, using the usermod command:
bubble ~ [2]> sudo usermod -L freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:!*:16197:0:99999:7:::
This is a locked freerad account. ssh should prevent you from logging in using that account even if you use public/private key pairs.
bubble ~> sudo usermod -p '*' freerad
bubble ~> sudo grep freerad /etc/shadow
freerad:*:16291:0:99999:7:::
This freerad account has a never-matchable password. The account is not locked, but if you were to login using ssh public/private keys it would not prevent you from logging in.
Try unlocking it with
passwd -u foo
Being locked and not having a password are two different things.