I am so confused! I changed my security profile to ‘paranoid’ (i’m a linux noob’ and accidentally locked my self out of everything! Including su, sudo, YaST, etc. Please help! (openSUSE 11.1)
Can you boot into runlevel 3, log in as root, and adjust things in the ncurses YaST?
How do i do that? Sorry I’m a linux noob-sauce.
I accidentally locked myself out of etc/passwd (major noob = me)
At the boot menu, move the selection box over ‘openSUSE’, press 3, press return, it’ll ask you for a user name and password.
Type root and your root password, then once you’re logged in, you should be able to type ‘yast’, and hopefully undo whatever strangeness you may have unleashed…
Once you’re all done, type ‘reboot’, and your system should boot normally…
Correction. Looks like my suggestion won’t work…
this has saved my butt a couple of times…
root password recovery
If you have forgotten root password don’t worry, there is an easy way to reset it and create a new one
- disconnect computer form the network (you will work with root priviledges)
- boot from your first install CD and press F1 at the first screen, then choose “Rescue System” from the menu and at the prompt type:
#root
You do NOT need a password - next at the prompt enter:
cd /etc
vi passwd
Next, press “i”
in the passwd file look for root line (something like):
root:x:0:0:root:/root:/bin/bash
delete the “x” after “root:” leave the colons!
After the modification above line shoul look like this:
root::0:0:root:/root:/bin/bash
Save file and exit:
Press ESC then wq and enter
Next edit:
vi shadow
Press ESC then “x” (x will delete letter under cursor)
change root line from something like:
root:$2a$05$sin5i458ghsdfg8076t5ymp4y;jgslkdbvffd bshmRK:12856:0:10000::::
to
root::::
note four colons left!
Save the file:
ESC next wq
This no longer works. First, the shadow file now has 8 colons, not 4. Second, after this has been done, typing “su” gets the response “bad password” without ever prompting for the password.
As a still further annoyance, simply trying to change the password (on a non-priviledged account) gets in my case: “Bad password: too similar”. On my home system, I will be the judge of what is an appropriate password! >:(
I bought my first personal computer in 1978. I was looking at an DEC PDP8 and a Heathkit H-89. The choice was made easy for me. I tried out the H-89. It asked for the time and date. I ignored it. It let me in. Next, I tried the PDP8. It asked for the date and time. I ignored it. It would not let me use the computer until I gave it the date and time. I returned to the Heathkit store and bought the H-89.
I will not use a computer (or an operating system) that does not know who is in charge! It appears that SuSE is getting the same disease the DEC designers had. Take a look at where DEC is now.
I bought my first SuSE system about 15 years ago. I have stuck with it even after it fried one monitor and later killed a video card. If this kind of “attitude” is going to infect SuSE, I’m going somewhere else. There are certainly lots more alternatives now! >:)
I think you were not sufficiently forceful enough with your password change. IIRC if you insist and go through with the password change, it will do what you ask, inspite of the complaint about the weak password. Go on, show your system with an attitude who is really in charge.
I am dead serious. I tried repeatedly. I suggest you try it on SuSE 11.2 x64. I am now in the middle of reinstalling it with the same password for both root and the nonpriviledged user, a compromise I am temporarily willing to accept.
Worked fine for me. 11.2 x86_64.
me:/home/me # passwd me
Changing password for me.
New Password:
Bad password: too short
Reenter New Password:
Password changed.
If you want to silence the check for non-root users, then I think you just need to comment out this line in /etc/pam.d/common-passwd:
password requisite pam_pwcheck.so nullok cracklib
There you go, you’re in charge again.
Apparently, the response depends on the complaint:
passwd
Old password:
New password:
Bad password: too similar
New password:
Bad password: too similar
New password:
Bad password: too similar
New password:
I’ll try the change you suggested. Thanks!
I tried it. Commented out the line you suggested. Result:
passwd
Old password:
passwd: Authentication token manipulation error.
When I take out the “#” it goes back to the complaint. In any case, I have been able to set the root password at what I want, and I don’t need to change the other password, so I’m OK for now, but my general observation applies:
openSuSE appears to be aiming at a commercial audience, and they’re tightening up the security features enough that it may leave the more casual user, and even the unsophisticated commercial user, frustrated.
The real issue that is hanging over my latest install is this: It is not uncommon for new users to mistype, forget or misspell the root password. The method I used some years ago to repair that problem does not work. The one earlier in this thread also does not work, and it took me about 20 minutes of searching to even find that post from last Summer. Root password recovery is not mentioned in the FAQs, even though I know that is a frequent, urgent issue.
SuSE is now making it difficult (impossible?) for even moderately experienced systems guys to recover from a lost root password. That is a major issue regarding usability.
Well I was only guessing, and didn’t try out my previous suggestion. Try this, which I have verified. Instead of commenting out that line, change it to:
password requisite pam_pwcheck.so nullok no_obscure_checks
There you are, no need to blame anybody for something you have control over.
In any case, root doesn’t go through these checks, as I have already shown, so you can change anybody’s password as root to anything, simple or not.
Incidentally pam_pwcheck goes back to 2002 so this policy has been in place for a while.
Yup, that got it! That problem is solved.
Regarding the root password, I found shadow documentation: Linux Password & Shadow File Formats which suggests that when using the recovery system, I probably need to make the fourth parameter a zero to enable password changing.
In the present case, I had no problem reinstalling the (virgin) system. Once I have added programs and data, I wouldn’t want to do that. Fortunately, I am very unlikely to forget the (simple) password I have now been able to set!
Thanks for showing me that Flux Capacitors still live and work!
Well I’m actually from an even earlier era, but out of curiosity I looked and it’s easy for anybody to make a Flux Capacitor.
Rook’s Tutorial Page: M1A1 Disassembly
or buy one if you have more money than time:
ThinkGeek :: Flux Capacitor Replica
or if you are cheap:
but page apparently requires a signup, which I declined.
Funny, I thought an M1A1 was something else that went by the name of Abram … anyway, time travel may have been based on the Flux Capacitor, but I’m sure there wasn’t a Flux Capacitor Penguin anywhere near it!
Anyway, I just took a trip out into the garage to confirm that I still have an Eye of the Storm plasma ball, with which I will challenge the Flux Capacitor any time!
Since the top two hits are Google archives of newspaper ads from the 80s: Toledo Blade - Google News Archive Search I conclude I have a real collector’s item – if there’s anybody left to collect them!
It’s after midnight here. Thanks again for the help and encouragement! SuSE is now cleaned up enough that I backed up its partition, so I’m sure I can get back to a running state easily.
Happy New Year, and good night!
I replicated the problem by going paranoid which locked me out of graphical (kdm) both as user and root
the fix is to go to yast via virtual terminal ( alt-ctl f1-f6) running yast
and resetting from paranoid to easy. a reboot was necessary
Thanks for the reminder of the virtual consoles. The “text” yast is also much more useful than it was the last time (perhaps 10 years ago) that I tried it.
However, that does not solve the “bad root password” problem. In order to run yast with an ability to change security settings, it is necessary to login to the virtual console as root. (It is interesting that an ordinary user can start yast, he just can’t do much.)
I have (presumably) protected myself against incorrectly changing passwords by backing up /etc/password and /etc/shadow (that assumes there are no other files involved in password authentication).
It still appears to me that a lost root password requires an intervention from the recovery system. I guess the details of the process shall remain obscure, probably to the relief of the security gurus.
That has always been the case on Unix/Linux. Otherwise an ordinary user could initiate an “I lost the root password” recovery without using a recovery system and change the root password.
However if a user has sudo permissions or similar, it could be changed from there.