2014年8月4日 星期一

sshd always wants to change password

It's solved for me by setting it to non-zero:

sshd:"PASSWORD":1:0:99999:7:::
Or run the following every time after useradd or passwd:
sed -e 's/^\([^:]*:[^:]*:\)0:/\11:/' /etc/shadow -i
Is it because busybox passwd always update the "last changed" field to 0?

No, it's because the System time is not set correctly.

libbb/update_passwd.c
/* "name:" + "new_passwd" + ":" + "change date" + ":rest of line" */
fprintf(new_fp, "%s%s:%u%s\n", name_colon, new_passwd,
        (unsigned)(time(NULL)) / (24*60*60), cp);
So if system time is not set correctly, "last changed" field will always be 0 at the first day, and SSH will always asking for changing passwd.

Use date to update the system should fix this issue:
date -s 201401010000.00
This is not even busybox related. It might happened on any PC, just PC has battery and RTC and rarely lost the time.



lib.uclibc.buildroot - Re: sshd always wants to change password - msg#00125 - Recent Discussion OSDir.com
http://osdir.com/ml/lib.uclibc.buildroot/2007-05/msg00125.html

> >Here is the entry from my shadow file:
> >sshd:"PASSWORD":0:0:99999:7:::
>
> set the last changed field to non-null


Linux Password & Shadow File Formats
http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
smithj:Ep6mckrOLChF.:10063:0:99999:7:::
As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:
  • Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
  • Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
  • The number of days (since January 1, 1970) since the password was last changed.
  • The number of days before password may be changed (0 indicates it may be changed at any time)
  • The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
  • The number of days to warn user of an expiring password (7 for a full week)
  • The number of days after password expires that account is disabled
  • The number of days since January 1, 1970 that an account has been disabled
  • A reserved field for possible future use

沒有留言: