Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

unix_chkpwd[4275]: account root has password changed in future

2,840 views
Skip to first unread message

Jeff

unread,
Feb 5, 2010, 1:20:15 PM2/5/10
to
Hi-

This message is scrolling in my /var/log/secure file over and over:

unix_chkpwd[4275]: account root has password changed in future

I checked both /etc/passwd and /etc/shadow dates, I even 'touched'
both to be sure they are current and still this message continues
to scroll over and over every 1-5 minutes.

Can someone tell me what else to look for? My machine is
very locked down and nobody uses it but myself, so Im fairly
sure it hasnt been compromised.

Thanks

Lew Pitcher

unread,
Feb 5, 2010, 3:57:34 PM2/5/10
to

You say that you checked the /etc/shadow date. /Which/ date in /etc/shadow
did you check? Did you check the third field of root's /etc/shadow entry
for validity? If that third field is greater than $((`date +%s` / 60)),
then that might explain the error message.

FWIW,
shadow contains the encrypted password information for user's
accounts and optional the password aging information. Included is

Login name

Encrypted password

Days since Jan 1, 1970 that password was last changed

etc.

--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------


Jeff

unread,
Feb 5, 2010, 5:28:55 PM2/5/10
to

> You say that you checked the /etc/shadow date. /Which/ date in /etc/shadow
> did you check? Did you check the third field of root's /etc/shadow entry
> for validity? If that third field is greater than $((`date +%s` / 60)),
> then that might explain the error message.
>

Ok I didnt realize it was the date inside the shadow file.
The third field was 19110. I set it down to 10 and it worked,
messages went away. Not sure how the other value ever
got there though.

Thanks for your help

Lew Pitcher

unread,
Feb 5, 2010, 6:12:09 PM2/5/10
to
Minor correction

On February 5, 2010 15:57, in comp.os.linux.security, lpit...@teksavvy.com
wrote:

> On February 5, 2010 13:20, in comp.os.linux.security, je...@rahul.net
> wrote:
>
>> Hi-
>>
>> This message is scrolling in my /var/log/secure file over and over:
>>
>> unix_chkpwd[4275]: account root has password changed in future
>>
>> I checked both /etc/passwd and /etc/shadow dates, I even 'touched'
>> both to be sure they are current and still this message continues
>> to scroll over and over every 1-5 minutes.
>>
>> Can someone tell me what else to look for? My machine is
>> very locked down and nobody uses it but myself, so Im fairly
>> sure it hasnt been compromised.
>
> You say that you checked the /etc/shadow date. /Which/ date in /etc/shadow
> did you check? Did you check the third field of root's /etc/shadow entry
> for validity? If that third field is greater than $((`date +%s` / 60)),

Oops... that expansion gives the number of minutes since Jan 1 1970.
For /days/, we want
$((`date +%s` / (60*60*24)))
which, on my system, right now, evaluates to
~ $ date && echo $((`date +%s` / (60*60*24)))
Fri Feb 5 18:11:52 EST 2010
14645

0 new messages