Login accounts have an inactivity timer set at 35 days. That is, /etc/pam.d/passwd-auth has a line
auth required pam_lastlog.so inactive=35
So I get lines like
sshd[29629]: pam_unix(sshd:account): account weaverw has expired (failed to change password)
sshd[29629]: pam_lastlog(sshd:account): user weaverw inactive for 71 days - denied
Question: what is the best way to re-activate these accounts? What the SA's have been doing is su over to the account, then exit, so it will have an entry in lastlog, but this seems inelegant.
Best Answer
To fix the
pam_unix
password expiration, edit/etc/shadow
. It has the format [colon separated fields]:username:passwd:number_of_days_since_pw_changed:...
and set the 3rd field to zero.
To fix the
pam_lastlog
it's a bit uglier. The control file is/var/log/lastlog
. It's a compressed and/or binary format file.It can be viewed with the
lastlog
utility. But [AFAICT] the utility provides no mechanism to change an individual entry.It seems the recommended method is to null out the file. While this changes it for all users, this is less severe than the passwd expiry changes.
cp /dev/null /var/log/lastlog
will do this without disturbing theselinux
permissions.The
usermod
utility will reset the information for a single user but only when using the-u
option to change the user's uid. Perhaps, used in conjunction with-o
:At worst, do it in two commands, first setting uid to new unique uid, then set it back to the old one. For example, if the user's uid was 5001 and there was no uid 5500 in use, do:
If you really want to preserve most information in
/var/log/lastlog
and the above doesn't work, theshadow-utils
source package has a way to do it ...Here's the source snippet from useradd:
Here's a snippet from usermod:
The definition for
struct lastlog
comes from#include <lastlog.h>
and will look like: