| 1 |
On Tue, 10 Jan 2012 13:46:59 -0500 |
| 2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
|
| 4 |
> Ok, I did something really dumb... |
| 5 |
> |
| 6 |
> I changed the root passwd for a system I manage last week, but |
| 7 |
> neglected to write it down, and now what I *thought* I had changed it |
| 8 |
> to isn't working... I know, I know, really *really* dumb, but that's |
| 9 |
> where I am... |
| 10 |
> |
| 11 |
> I know I can boot into Single User mode, remount the root partition |
| 12 |
> read/write, and edit /etc/shadow (removing the encrypted passwd), |
| 13 |
> then rest it using passwd, but... |
| 14 |
> |
| 15 |
> Some of the accounts in /etc/shadow have a '*' where the encrypted |
| 16 |
> passwd would be, and some have a '!'... (ie, one is sshd:!:... and |
| 17 |
> another is halt:*:...) |
| 18 |
> |
| 19 |
> Does it matter what I change it to? Should I use a *, !, or nothing |
| 20 |
> at all (so that there is *nothing* between the two :: that would |
| 21 |
> normally contain the encrypted passwd)? |
| 22 |
|
| 23 |
The password field in shadow contains one of three types of values: |
| 24 |
|
| 25 |
- a valid hash |
| 26 |
- nothing (meaning the account has no password at all) |
| 27 |
- an invalid hash (meaning the account cannot be logged into as no |
| 28 |
password will ever hash to that value) |
| 29 |
|
| 30 |
The third type has some standard values set by convention over the |
| 31 |
years to indicate why the password is not valid. Because they are just |
| 32 |
loose conventions there's not much consistency by usually is goes like |
| 33 |
this: |
| 34 |
|
| 35 |
* means the account is definitely a system account, should never have a |
| 36 |
valid shell and no-one must ever log into that account. Accounts like |
| 37 |
bin are like this, and Gentoo gives these /bin/false as a shell |
| 38 |
|
| 39 |
! means it is a valid account that probably should not have a login |
| 40 |
shell but might run with a proper environment. The man account is like |
| 41 |
this and Gentoo usually gives these nologin as a shell. |
| 42 |
|
| 43 |
So what's the difference? Not much really, it's all a fine case of |
| 44 |
semantics and to you they ought to be treated the same. I might even |
| 45 |
have the explanation the wrong way round or be completely wrong, that's |
| 46 |
how poorly documented this all is :-) |
| 47 |
|
| 48 |
To reset root's password, set the field to blank (nothing between |
| 49 |
the ::) |
| 50 |
|
| 51 |
-- |
| 52 |
Alan McKinnnon |
| 53 |
alan.mckinnon@×××××.com |
Archives