how to remove the non : characters after the password in shadow file?

TKD · August 17, 2012, 3:21pm

On SPARC Solaris 10. I set the app account so it's expired. I also want it
so not required to change password at first login, I can do this by
removing the numbers after the password in /etc/shadow.

example using user1

The /etc/shadow file looks like this:

user1:kOmcVXAImRTAY:0::::90::

Want it to be like this:

user1:kOmcVXAImRTAY:::::::

How can I do that via a script? I want to do it on multiple servers, hence the script.

bartus11 · August 17, 2012, 3:25pm

To disable password expiration use:

passwd -x -1 user1

To disable forced password change on next login use:

passwd -u user1

TKD · August 17, 2012, 3:34pm

I do that, but then when the app tries to ssh to this app account, they are required to change password at first login.
I don't want that. When I remove everything between the : after the password, then the pw doesn't need to be changed anymore either.

bartus11 · August 17, 2012, 3:36pm

I edited my post. To avoid forced password change use:

passwd -u user1

TKD · August 17, 2012, 6:53pm

hmmm, I didn't see the other part with the -u. I thought that is just for unlocking a locked password. I will try it. Thanks.

---------- Post updated at 06:53 PM ---------- Previous update was at 03:38 PM ----------

This works as desired in the global zone

ssh $nn "passwd -x -1 fstone;passwd -u fstone"

but not in a zone, I end up with the 90 that I need to get rid of

user1:irCl6P1wBEBUQ:15569::::90::

bartus11 · August 18, 2012, 5:50am

To get rid of the "90" use the second command...

passwd -x -1 user1

Don_Cragun · August 18, 2012, 1:35pm

Getting rid of the User ID (the value between the 2nd and 3rd <colon>s) and Group ID (between the 3rd and 4th <colon>s) is a VERY BAD idea. It will either make it impossible for any of the users whose entries you changed to login or it will give all of them root access!

bartus11 · August 18, 2012, 1:36pm

You are talking about fields from /etc/passwd. OP was considering editing /etc/shadow.

TKD · August 21, 2012, 4:22pm

First I used passmass to reset the application account (ex app1) password back to what it originally was on multiple servers.

Then via a script I did this on multiple servers:
# Turn off password aging (so pw won't expire)

passwd -x -1 app1

# Set app account so not required to change password at first login

passwd -u app1

That results in this:

app1:LgqREiwpnwoJk:15569::::90::

Then I got rid of the 90 using the rest of the script, it looks like this

app1:LgqREiwpnwoJk:15569::::::

Now it works the way it should.

Note:
15569/field 3 is
Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
I no longer care about it but left it there.

field 4 is Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password