{"id":276,"date":"2010-11-28T13:08:40","date_gmt":"2010-11-28T18:08:40","guid":{"rendered":"http:\/\/blog.alanporter.com\/?p=276"},"modified":"2010-11-28T13:08:40","modified_gmt":"2010-11-28T18:08:40","slug":"passwd-and-chage","status":"publish","type":"post","link":"https:\/\/alanporter.com\/blog\/2010\/11\/28\/passwd-and-chage\/","title":{"rendered":"Disabling Linux user accounts – passwd and chage"},"content":{"rendered":"

On internet-facing machines, I like to disable the root password so that you can only log in as root using an SSH key. \u00a0This is done by setting the seemingly-scary option PermitRootLogin without-password<\/code> in \/etc\/ssh\/sshd_config<\/strong> . \u00a0This option means that you can ONLY use a key to log in as root… a password will never be accepted, and so you can not guess it by trial-and-error.<\/p>\n

While I am at it, I go ahead and disable the root password completely. \u00a0That’ll be one less thing for me to remember, and one less thing to keep secret.<\/p>\n

First, be sure that you have at least one “sudoer” user, or at least one SSH key in ~root\/.ssh\/authorized_keys<\/strong> . Otherwise, you’ll realize in an “ignisecond<\/a>” that you’ve just locked yourself out.<\/p>\n

Then, use the passwd<\/code> command to “lock” the account.<\/p>\n

\n$ passwd -l root\n<\/pre>\n
This command will put a !<\/strong> character in the password field of the \/etc\/shadow<\/strong> file so that no password hash will ever match the string in the shadow file.<\/p>\n
But on SOME SYSTEMS, it also does a second thing — it may change the account expiration date to January 2, 1970.  This will prevent SSH access, even with a key.<\/p>\n
While researching this article, I had this “world-shifting-under-me” feeling, as I distinctly remember having to work around this issue.  However, on every system I tried, I could not reproduce the expiration-date-changing behavior.  Then I found that it was an issue that flip-flopped in the Debian community between 2006 and 2008.  In 2006, they made the passwd -l<\/code> command lock the password<\/em> and also<\/strong> expire the user account<\/em>.  But in 2008, they decided that the change affected too many people, where most had grown accustomed to the passwd<\/code> command affecting the password<\/em> only, and not touching the account expiration date.<\/p>\n
If you want to change the account’s expiration date, you should use the chage<\/code> command.<\/p>\n
\n$ chage -E -1 root  # never expire\n$ chage -E 1 root  # expire on Jan 2, 1970\n$ chage -E 0 root  # not recommended, undefined behavior\n$ chage -E 2010-12-25  # expire on a specific date\n<\/pre>\n
So here I was, all set to share a nugget of wisdom with the world, and instead, it ends up being a trip down memory lane.  However, in the process, I learned a couple of things.<\/p>\n
A very safe way to disable a user account’s password, while keeping the account open to SSH access is like this: passwd -l user && chage -E -1 user<\/code> .  The chage<\/code> part is unnecessary on modern systems, but it does not hurt anything.<\/p>\n
A quick way to check on whether a password is locked, or a user account is expired, is to use passwd -S user<\/code>, like this.<\/p>\n
\n$ passwd -S user\nuser P 09\/11\/2007 0 99999 7 -1\n<\/pre>\n
This says that user<\/strong>‘s password is<\/em> set (P), it was changed way back 2007, there is no minimum age (restriction on how often they can change their password), there’s a very long maximum age (time when they are forced to change their password), the warning period is one week, and the account is not inactive\/expired.<\/p>\n
So there you go, two for one, a Linux tip and a history lesson!<\/p>\n","protected":false},"excerpt":{"rendered":"
On internet-facing machines, I like to disable the root password so that you can only log in as root using an SSH key. \u00a0This is done by setting the seemingly-scary option PermitRootLogin without-password in \/etc\/ssh\/sshd_config . \u00a0This option means that you can ONLY use a key to log in as root… a password will never […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,15],"tags":[],"class_list":["post-276","post","type-post","status-publish","format-standard","hentry","category-software","category-tips-tricks","count-0","even alt","author-alan","last"],"_links":{"self":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/comments?post=276"}],"version-history":[{"count":0,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/posts\/276\/revisions"}],"wp:attachment":[{"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/media?parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/categories?post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alanporter.com\/blog\/wp-json\/wp\/v2\/tags?post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}