Seitenanfang

CRON: User account has expired

Dieser Post wurde aus meiner alten WordPress-Installation importiert. Sollte es Darstellungsprobleme, falsche Links oder fehlende Bilder geben, bitte einfach hier einen Kommentar hinterlassen. Danke.


Recently, I discovered strange messages in a servers system log. The cron daemon was complaining about an expired user account, but there are no user accounts on this server, which should ever expire.

1365596030_lock_lockedThe file /var/log/syslog had a lot of lines like this:

Apr 10 08:25:01 server17 CRON[7746]: User account has expiredApr 10 08:25:01 server17 CRON[7747]: User account has expired
No hint, which user or cron line but also no successful cron starts.

There are two accounts actually used on this server: My personal one and a locked root account (because Ubuntu is using sudo and no root password at all preventing the root account from being hacked by password). My account is used only for administration and I was able to log in, the problem clearly has to affect the root account:

$ sudo passwd -S rootroot L 11/26/2011 0 99999 7 -1
Looks like the root account expired in 2011? Wrong! The last password change has been in 2011, the expire time is the last value. "-1" means "never expires" - but the cron daemon reports something else.

The root account shouldn't have any password, but some recovery issue a long time ago forced me to set a root password for a very short time. I set a new one and locked the account again (because I don't use it for login):

$ sudo passwd -u rootPassword changed.$ sudo passwd rootEnter new UNIX password: Retype new UNIX password: passwd: password updated successfully$ sudo passwd -S rootroot P 04/10/2013 0 99999 7 -1$ sudo passwd -l rootPassword changed.$ sudo passwd -S rootroot L 04/10/2013 0 99999 7 -1
Fresh date, but the cron daemon log was still complaining. I started a Google journey and tried out some thing - always being afraid because I might lock myself out from this server while playing around with the root account settings. I should have started another ssh session and start a root shell there as a backup.

It took some time until I realized that the root account shouldn't be locked at all. It should be enabled and valid and have a password - but an invalid one.

Linux passwords are stored as crypted (hashed) values. One can't enter "12345" in the password file and log in using "12345" as the password. The file contains the hashsum of "12345" which will be compared to the hashsum of the password entered during login. The hashsums need to match, not the passwords.

The root account should have an exclamation mark "!" as password hashsum in /etc/shadow, because there is no cleartext password which will result in a "!" as hashsum. I updated root's line in /etc/shadow:

root:!:12345:0:99999:7:::
The important thing is the ! in the second column (the ":" is used as column separator in this file).

The root account is active now, but can't login - which is perfectly fine.

Notice that passwd -S still treads it as "locked", but the cron daemon is happy now:

$ sudo passwd -S root[sudo] password for sewi:root L 04/10/2013 0 99999 7 -1

Thanks to the Ubuntu forum for pointing me in the right direction.

 

Noch keine Kommentare. Schreib was dazu

Schreib was dazu

Die folgenden HTML-Tags sind erlaubt:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>