1 |
On Tue, 10 Jan 2012 13:46:59 -0500 |
2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
|
4 |
> Ok, I did something really dumb... |
5 |
> |
6 |
> I changed the root passwd for a system I manage last week, but |
7 |
> neglected to write it down, and now what I *thought* I had changed it |
8 |
> to isn't working... I know, I know, really *really* dumb, but that's |
9 |
> where I am... |
10 |
> |
11 |
> I know I can boot into Single User mode, remount the root partition |
12 |
> read/write, and edit /etc/shadow (removing the encrypted passwd), |
13 |
> then rest it using passwd, but... |
14 |
> |
15 |
> Some of the accounts in /etc/shadow have a '*' where the encrypted |
16 |
> passwd would be, and some have a '!'... (ie, one is sshd:!:... and |
17 |
> another is halt:*:...) |
18 |
> |
19 |
> Does it matter what I change it to? Should I use a *, !, or nothing |
20 |
> at all (so that there is *nothing* between the two :: that would |
21 |
> normally contain the encrypted passwd)? |
22 |
|
23 |
The password field in shadow contains one of three types of values: |
24 |
|
25 |
- a valid hash |
26 |
- nothing (meaning the account has no password at all) |
27 |
- an invalid hash (meaning the account cannot be logged into as no |
28 |
password will ever hash to that value) |
29 |
|
30 |
The third type has some standard values set by convention over the |
31 |
years to indicate why the password is not valid. Because they are just |
32 |
loose conventions there's not much consistency by usually is goes like |
33 |
this: |
34 |
|
35 |
* means the account is definitely a system account, should never have a |
36 |
valid shell and no-one must ever log into that account. Accounts like |
37 |
bin are like this, and Gentoo gives these /bin/false as a shell |
38 |
|
39 |
! means it is a valid account that probably should not have a login |
40 |
shell but might run with a proper environment. The man account is like |
41 |
this and Gentoo usually gives these nologin as a shell. |
42 |
|
43 |
So what's the difference? Not much really, it's all a fine case of |
44 |
semantics and to you they ought to be treated the same. I might even |
45 |
have the explanation the wrong way round or be completely wrong, that's |
46 |
how poorly documented this all is :-) |
47 |
|
48 |
To reset root's password, set the field to blank (nothing between |
49 |
the ::) |
50 |
|
51 |
-- |
52 |
Alan McKinnnon |
53 |
alan.mckinnon@×××××.com |