Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using SuSE 9.1 on a public web-server. Every night the password encryption is changing I see that because all passwords in /etc/shadow are new. The only password which is working is the root password, but it also changed in /etc/shadow.
I don't think that there is a strange root login who is changing all, because with last|less there is nothing except my logins.
I also installed Rootkit Hunter 1.1.1, and nothing to find...
Does anybody know where passwd saves the encryption routine? I think if I change it to chmod 444 it can't be changed anymore.
Or does anybody know another solution for this horrible problem?
The bad thing is I have to set every morning all passwords again from all users on the system...
I mean encryption routine, NOT the password file!
Because the encrytion changes every day. so the code of the same password looks every day new. I mean the entry in /etc/shadow is every day another one with the same passwort and the same username!
Hello, I'm not completely sure what's happening on your system, but here is what I know about password setting. When you set a password, there is a random salt. This makes the encrypted password different every time even if the password is exactly the same.
See man 3 crypt for more information.
From what you said so far, it doesn't seem like the routine is really changing. If something is changing your passwords every day then that is indeed very strange.
Are you saying the user passwords change every day and then those users can not log in unless you reset their password again from the root account?
The /etc/shadow file does not change it's yesterday and today the same content, but yesterday I can login with that password and today it isn't working anymore. When I set again the same password for the same user it's another encrypted password in /etc/shadow and the it's working again. But tomorrow I have to set the password again for that users.
Except the root account this encrytpted passwort also changes in /etc/shadow but it works for login al the time...
I'm sure its just me as usual, still trying to understand what you are saying. I think you are saying the passwords are not changing, just login is failing and resetting the password makes it work again. The only account this does not happen to is root.
Ok, well then I don't know why, its beyond my knowledge so far. Perhaps the password expiration is set very short, like to 1 day. I've never configured password expiration, probably look it up in SuSE docs.
I think the passwort don't expire, insted the passwort coding is changing.
For example:
Today the password for user "user" is xxx
its in etc /shadow:
user:$1$abjhfdjhfdrs
Tomorrow when I look in /etc/shadow it's still the same entry there but I can't login with that passwort. When I type:
passwd user
and set the "user" passwort again to xxx
/etc /shadow contains:
user:$1$76gr34rh87dr
So it's the same passwort but in /etc/ shadow it's another entrie, that's why I think the coding algorithm is changing every day... But where and why is it?
Hello, as we said earlier, take a look at man 3 crypt, it explains why the encrypted password is different every time. Believe me this is normal. There is a 2 letter random salt that makes the encrypted (sorry, hashed) password different every time. Its actually the second argument to the crypt() function which is responsible for hashing your passwords.
The man page also says that if your salt is "$1$" then it will encrypt with the MD5 algorithm instead of DES. If you look at what you just posted, your hashed password starts with "$1$". I don't know what is going on but there is more information for you. Check out the crypt man page again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.