Hello,

I am using SuSE 9.1 on a public web-server. Every night the password encryption is changing I see that because all passwords in /etc/shadow are new. The only password which is working is the root password, but it also changed in /etc/shadow.
I don't think that there is a strange root login who is changing all, because with last|less there is nothing except my logins.
I also installed Rootkit Hunter 1.1.1, and nothing to find...
Does anybody know where passwd saves the encryption routine? I think if I change it to chmod 444 it can't be changed anymore.
Or does anybody know another solution for this horrible problem?

The bad thing is I have to set every morning all passwords again from all users on the system...

Alex

the /etc/shadow file should be ----640
users should NOT be able to read this file at all........

have you read the man shadow
and man crypt
pages??

http://man.linuxquestions.org/index....ction=0&type=2

http://man.linuxquestions.org/index....pe=2&section=5

I mean encryption routine, NOT the password file!
Because the encrytion changes every day. so the code of the same password looks every day new. I mean the entry in /etc/shadow is every day another one with the same passwort and the same username!

Hello, I'm not completely sure what's happening on your system, but here is what I know about password setting. When you set a password, there is a random salt. This makes the encrypted password different every time even if the password is exactly the same.
See man 3 crypt for more information.
From what you said so far, it doesn't seem like the routine is really changing. If something is changing your passwords every day then that is indeed very strange.

Are you saying the user passwords change every day and then those users can not log in unless you reset their password again from the root account?

The /etc/shadow file does not change it's yesterday and today the same content, but yesterday I can login with that password and today it isn't working anymore. When I set again the same password for the same user it's another encrypted password in /etc/shadow and the it's working again. But tomorrow I have to set the password again for that users.
Except the root account this encrytpted passwort also changes in /etc/shadow but it works for login al the time...

I'm sure its just me as usual, still trying to understand what you are saying. I think you are saying the passwords are not changing, just login is failing and resetting the password makes it work again. The only account this does not happen to is root.

Ok, well then I don't know why, its beyond my knowledge so far. Perhaps the password expiration is set very short, like to 1 day. I've never configured password expiration, probably look it up in SuSE docs.

well, password expiration is set to 99999 days.

I think the passwort don't expire, insted the passwort coding is changing.

For example:
Today the password for user "user" is xxx
its in etc /shadow:
user:$1$abjhfdjhfdrs

Tomorrow when I look in /etc/shadow it's still the same entry there but I can't login with that passwort. When I type:
passwd user
and set the "user" passwort again to xxx
/etc /shadow contains:
user:$1$76gr34rh87dr

So it's the same passwort but in /etc/ shadow it's another entrie, that's why I think the coding algorithm is changing every day... But where and why is it?

Hello, as we said earlier, take a look at man 3 crypt, it explains why the encrypted password is different every time. Believe me this is normal. There is a 2 letter random salt that makes the encrypted (sorry, hashed) password different every time. Its actually the second argument to the crypt() function which is responsible for hashing your passwords.
The man page also says that if your salt is "$1$" then it will encrypt with the MD5 algorithm instead of DES. If you look at what you just posted, your hashed password starts with "$1$". I don't know what is going on but there is more information for you. Check out the crypt man page again.