Perfect answer Alan, many thanks...
On 2012-01-10 3:38 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote:
On Tue, 10 Jan 2012 13:46:59 -0500
Tanstaafl<tansta...@libertytrek.org> wrote:
Ok, I did something really dumb...
I changed the root passwd for a system I manage last week, but
neglected to write it down, and now what I *thought* I had changed it
to isn't working... I know, I know, really *really* dumb, but that's
where I am...
I know I can boot into Single User mode, remount the root partition
read/write, and edit /etc/shadow (removing the encrypted passwd),
then rest it using passwd, but...
Some of the accounts in /etc/shadow have a '*' where the encrypted
passwd would be, and some have a '!'... (ie, one is sshd:!:... and
another is halt:*:...)
Does it matter what I change it to? Should I use a *, !, or nothing
at all (so that there is *nothing* between the two :: that would
normally contain the encrypted passwd)?
The password field in shadow contains one of three types of values:
- a valid hash
- nothing (meaning the account has no password at all)
- an invalid hash (meaning the account cannot be logged into as no
password will ever hash to that value)
The third type has some standard values set by convention over the
years to indicate why the password is not valid. Because they are just
loose conventions there's not much consistency by usually is goes like
this:
* means the account is definitely a system account, should never have a
valid shell and no-one must ever log into that account. Accounts like
bin are like this, and Gentoo gives these /bin/false as a shell
! means it is a valid account that probably should not have a login
shell but might run with a proper environment. The man account is like
this and Gentoo usually gives these nologin as a shell.
So what's the difference? Not much really, it's all a fine case of
semantics and to you they ought to be treated the same. I might even
have the explanation the wrong way round or be completely wrong, that's
how poorly documented this all is :-)
To reset root's password, set the field to blank (nothing between
the ::)
