Security
cancel
Showing results for 
Search instead for 
Did you mean: 

root password continues to expire

SOLVED
Go to solution
Todd Seeleman
Occasional Advisor

root password continues to expire

Greetings,

I've set root password to not expire however it continues to expire. How can I fix this?

wal9100# edauth -d d -g | grep u_exp
:u_maxlen#16:u_exp#0:u_life#0:u_pickpw:\
:u_maxtries#5:u_lock@:u_unlock#86400:u_expdate#0:\

wal9100# edauth -d d -g | grep u_life
:u_maxlen#16:u_exp#0:u_life#0:u_pickpw:\

12 REPLIES
Ivan Ferreira
Honored Contributor

Re: root password continues to expire

You are showing information about the default database, use edauth -g root to know the values applied to root.

Use usermod -x password_expire_time to modify the value.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Todd Seeleman
Occasional Advisor

Re: root password continues to expire

I don't see that value in the data base

wal9100# edauth -g root | grep password
wal9100#

Mark Poeschl_2
Honored Contributor

Re: root password continues to expire

Don't grep for 'password'. There is no such entry in the database. Please post the whole output of 'edauth -g root'.
Todd Seeleman
Occasional Advisor

Re: root password continues to expire


I have executed

usermod -x passwd_expire_time=0 -x \
passwd_lifetime=0

in the past. Here is the output.

wal9100# edauth -g root
root:u_name=root:u_id#0:u_pwd=AH0O2oSNtHGkwuXF5AGTs9YA:u_cmdpriv=isso,operator,sysadmin:\
:u_syspriv=suspendaudit,configaudit,writeaudit,execsuid,chmodsugid,chown,acct,limit,lock,linkdir,mknod,mount,sysattr,setprocident,chroot,debug,shutdown,filesys,remote,kill,owner,allowdacaccess,sucompat,supropagate:\
:u_basepriv=suspendaudit,configaudit,writeaudit,execsuid,chmodsugid,chown,acct,limit,lock,linkdir,mknod,mount,sysattr,setprocident,chroot,debug,shutdown,filesys,remote,kill,owner,allowdacaccess:\
:u_succhg#1100267594:u_unsucchg#1053347633:u_genpwd@:u_pwdict=IePhOaKyxbUrA,FiquoaXLug6wg,V.c4SjN0M9C1Q:\
:u_genchars@:u_genletters@:u_oldcrypt#0:u_suclog#1127972402:\
:u_suctty=console:u_unsuctty=INET#backup-wal9105.gse-net.private:u_unsuclog#1127905805:u_maxtries#100:\
:u_lock@:u_flogins#21206:chkent:
Mark Poeschl_2
Honored Contributor

Re: root password continues to expire

That all looks relatively good Todd. Are you able to detect that the root password consistently expires after a certain interval - or does it just seem to happen "out of the blue"? The one anomalous entry in that edauth output is the u_flogins entry. It's pretty high. It's possible that what you're seeing as an "expiration" is actually a lockout due to unsuccessful login attempts and then when you finally change the password and get in the count starts over.

Comparing the output of:
# cat /etc/auth/system/default

with your previously posted edauth output would help.
Todd Seeleman
Occasional Advisor

Re: root password continues to expire

Hmm. Perhaps too many failed attempts however my fix is to use dxaccounts to re-enable the root account by setting the expiration date to the future not by changing the password.

Mark Poeschl_2
Honored Contributor
Solution

Re: root password continues to expire

Very Hmmmmm... Yes it does sound unlikely, I agree. How is it that you're getting in to change the expiration date if you don't already have root access?

I'll revert to dinosaur and put on my 'never trust a GUI' hat for a moment and recommend that you carefully check both the /etc/auth/system/default file and the 'edauth -g' output for root both before and after using 'edauth' to fix the lock-out. That way you'll know exactly which fields are the culprits.
Todd Seeleman
Occasional Advisor

Re: root password continues to expire

Mark,

Thanks for the thoughts. I can still sudo to root. The problem shows up during rsynch backup logins. I'll check the before/after next time it happens & let you know the results.

Todd

Todd Seeleman
Occasional Advisor

Re: root password continues to expire


Ah so. The problem is brute force login attempts failing and causing the account to be disabled by setting the expiration date to the moment. This is a diff of edauth -g root before and after re-enabling the account.

wal9100# diff 1.txt 2.txt
7c7,8
< :u_maxtries#100:u_lock@:u_flogins#21337:chkent:
---
> :u_maxtries#100:u_lock@:u_grace_limit#1160053800:u_flogins#21337:\
> :chkent:

I'm going to try an sshd throttle through tcp_wrappers I found at the HP site. Any other suggestions?

Todd

P.S. Thanks for the help



Ivan Ferreira
Honored Contributor

Re: root password continues to expire

The use of SSH is highly recommended. But you should edit the configuration file sshd2_config and disable root access. Change the line to:

PermitRootLogin NO

What I don't know is if someone tries to access as root, the failed logins count will be incremented, or never reaches the O.S.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Mark Poeschl_2
Honored Contributor

Re: root password continues to expire

SSH is a great idea as is Ivan's to disable root logins through SSH. I'm fairly certain that once you do that attempts to login as root will never even reach the OS checking routines and not counters or timers should be affected by the bogus login attempts.
Todd Seeleman
Occasional Advisor

Re: root password continues to expire

I am using openssh and thought I had root logins disabled however (duh) I missed that. For the moment I've throttled back via sshd_config.