[SunHELP] root passwd expired

Steve Sandau ssandau at gwi.net
Wed Nov 30 14:10:59 CST 2005

velociraptor wrote:
> On 11/29/05, Steve Sandau <ssandau at gwi.net> wrote:
>>So, 'sudo passwd root' will work within an ssh or telnet session with an
>>expired password? I thought I remembered that 'su -' failed. there's a
> Assuming that your sudo privs are set to: ALL = (ALL) ALL
> I could test with a more limited set (toss me an example) if you like;
> I have lab boxes I can fiddle with.

No specific example. Last couple of times I have just done the console 
thing. Only other time I had a problem someone else added a user and 
changed the word 'root' in /etc/shadow to 'Root' (you know, down arrow 
or something changes the case of letters sometimes in vi on Solaris).

That one nothing would fix short of a CDROM boot. (Actually didn't have 
a CDROM drive since someone hid it on me. Had to take the damn drive 
out, put it in another box, run devfsadm to get it recognized, mount the 
partition and edit the shadow file.)

> I used this two weeks ago when we got burned by root password
> expiration on a few of our Solaris 8 & 9 servers--hence the comments
> about the cron job as well.  :-/  Sysadmin->bullet->foot.

We now have a console server so I can get to the console and aviod stuff 
like this.

> I have to say that I have been quite tempted to make root "*NP*" on
> the Solaris 9 boxes and then just install public keys for each of us
> that have to admin the boxes, but I know that on some bloody
> horror story day I'd regret that choice.

I'd rather not have anyone logging in directly as root on the boxes I 
admin. In fact, I think the "rules" may forbid that expressly.

> Anyone have any other suggestion for avoiding the issue other than
> making root not expire at all?  Does anyone know if Solaris 10 root
> cron jobs stop working if the root password expires?

Only thing I have done is write on the calendar the next time we need to 
change the root password. I guess you could set up a cron to email you 
once every password-change-period or something like that. Maybe I'll 
look into that: an email when the password expiration is 10 days away or 

Ought to be able to compare the third field in /etc/shadow (last change 
in days since the epoch) with today's date in the same format and send 
an alert if it is greater than a certain number.


More information about the SunHELP mailing list