Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CRON: Authentication token is no longer valid; new one required
1,008 views
Skip to first unread message
ML mail
Feb 5, 2015, 5:50:04 AM2/5/15
to
Hello,
I am trying to run cron from /etc/cron.d with the root account which has password disabled in order not to be able to login as root but when the cron entry wants to run it simply does not and show the following error message in the log file:
CRON[16785]: Authentication token is no longer valid; new one required
Any idea how to run a cronjob from /etc/cron.d with the root account disabled?
Regards
ML
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/951355195.151465.14231...@mail.yahoo.com
I am trying to run cron from /etc/cron.d with the root account which has password disabled in order not to be able to login as root but when the cron entry wants to run it simply does not and show the following error message in the log file:
CRON[16785]: Authentication token is no longer valid; new one required
Any idea how to run a cronjob from /etc/cron.d with the root account disabled?
Regards
ML
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/951355195.151465.14231...@mail.yahoo.com
Bob Proulx
Feb 5, 2015, 4:20:05 PM2/5/15
to
ML mail wrote:
> I am trying to run cron from /etc/cron.d with the root account which
> has password disabled in order not to be able to login as root but
> when the cron entry wants to run it simply does not and show the
> following error message in the log file:
>
> CRON[16785]: Authentication token is no longer valid; new one required
This reads to me that the password for root has expired. It is the
> I am trying to run cron from /etc/cron.d with the root account which
> has password disabled in order not to be able to login as root but
> when the cron entry wants to run it simply does not and show the
> following error message in the log file:
>
> CRON[16785]: Authentication token is no longer valid; new one required
state of an expired password that is a problem.
When you say that the root password has been disabled what exactly do
you mean by that statement? Did you 'passwd -e root'? If so that is
the source of the problem. Root should not have an expired password.
What does this say? Example from a system of mine.
$ passwd --status root
root P 05/01/2010 0 99999 7 -1
> Any idea how to run a cronjob from /etc/cron.d with the root account
> disabled?
root' to change the password and to fix the expiration. (Actually *I*
would simply edit the /etc/shadow file and fix it but for others I
recommend using the tool to avoid a file editing mistake in that very
critical file.) After updating the password I think the expiration
problem will have been fixed. You don't actually ever have to use
that password.
Bob
ML mail
Feb 6, 2015, 3:50:05 AM2/6/15
to
The result of running passwd --status tells me that the password needs to be changed as actually I had in my /etc/shadow file only a "!" as password in order to safely disable the root account. It looks like this is not compatible with the cron.d system. I have changed the password and then locked the account (passwd -l) and now it works. The thing is that I wanted to remove the password from the /etc/shadow file as with the lock option the password is still there but with a "!" before it.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/1326385422.691043.14232...@mail.yahoo.com
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
wolf....@gmail.com
Feb 6, 2015, 5:10:04 AM2/6/15
to
The '!' Means root login is disabled, not that the root account is disabled. su -
With a blank root password lets anyone switch user to root without slowing down to crack the password. That is not a safe goal.
Sent from my iPhone
Archive: https://lists.debian.org/18C531B7-3530-46B3...@gmail.com
With a blank root password lets anyone switch user to root without slowing down to crack the password. That is not a safe goal.
Sent from my iPhone
Reco
Feb 6, 2015, 6:30:06 AM2/6/15
to
Hi.
On Fri, Feb 06, 2015 at 05:07:58AM -0500, wolf....@gmail.com wrote:
> The '!' Means root login is disabled, not that the root account is disabled. su -
> With a blank root password lets anyone switch user to root without slowing down to crack the password. That is not a safe goal.
There's difference between a locked empty password (which is defined by
single exclamation mark in /etc/shadow) and an empty password (no symbol
in /etc/shadow).
A single exclamation mark will prevent using su -.
An empty non-locked password will work the way you describe.
man 5 shadow :)
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150206112344.GA20868@x101h
On Fri, Feb 06, 2015 at 05:07:58AM -0500, wolf....@gmail.com wrote:
> The '!' Means root login is disabled, not that the root account is disabled. su -
> With a blank root password lets anyone switch user to root without slowing down to crack the password. That is not a safe goal.
single exclamation mark in /etc/shadow) and an empty password (no symbol
in /etc/shadow).
A single exclamation mark will prevent using su -.
An empty non-locked password will work the way you describe.
man 5 shadow :)
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
ML mail
Feb 6, 2015, 2:50:05 PM2/6/15
to
So if I understand correctly it is not possible to use cron.d with simply the "!" character in the shadow file? I need to have "!" + password? do I understand that correctly?
Archive: https://lists.debian.org/1380329621.962855.14232...@mail.yahoo.com
Reco
Feb 6, 2015, 3:30:06 PM2/6/15
to
Hi.
On Fri, 6 Feb 2015 19:39:42 +0000 (UTC)
ML mail <mlno...@yahoo.com> wrote:
> So if I understand correctly it is not possible to use cron.d with simply the "!" character in the shadow file? I need to have "!" + password? do I understand that correctly?
My current configuration is:
# head -1 /etc/shadow
root:!:15829:0:99999:7:::
Cron is definitely working for me. Today it launched /etc/cron.d/mdadm,
for example.
PS. Please don't add me in CC as I'm subscribed to the list.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150206232157.1bcd...@gmail.com
On Fri, 6 Feb 2015 19:39:42 +0000 (UTC)
ML mail <mlno...@yahoo.com> wrote:
> So if I understand correctly it is not possible to use cron.d with simply the "!" character in the shadow file? I need to have "!" + password? do I understand that correctly?
# head -1 /etc/shadow
root:!:15829:0:99999:7:::
Cron is definitely working for me. Today it launched /etc/cron.d/mdadm,
for example.
PS. Please don't add me in CC as I'm subscribed to the list.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bob Proulx
Feb 8, 2015, 3:00:04 AM2/8/15
to
ML mail wrote:
and paste the result verbatim.
When you looked at the status the password it was expired, right?
The date field said "01/01/1970" didn't it?
> It looks like this is not compatible with the cron.d system.
That is not correct. As I said it is because you have set root to
have an *expired* account. So far nothing you have said offered any
evidence that it was anything different.
> I have changed the password and then locked the account (passwd -l)
> and now it works.
When you changed the password it reset the expiration. That was the
critical part. It was no longer expired. Whew! That is the part
that allowed everything to work.
Then locking the account placed an impossible to match character into
the password field. Traditionally the '*' and '!' are the characters
used for this. Most greybeard unix hackers will always use '*' there
but the password program uses '!' specifically to distinguish manual
modifications from programatic modifications. If you see '*' then a
human did it. If you see '!' then the passwd program did it. That
was the plan anyway. Humans can put '!' there if they want. The
result is the same.
> The thing is that I wanted to remove the password from the
> /etc/shadow file as with the lock option the password is still there
> but with a "!" before it.
Then remove the password. It is good if there isn't any time when
root has no password even if that time were short. Use the passwd
command ('passwd -d -r root') to do both operations for you.
# grep ^root: /etc/shadow
root:!:15616:0:99999:7:::
# grep ^root: /etc/shadow
root:!:0:0:99999:7:::
That shows the bad case. The password is "expired". The 0 in the
date of password change field indicates that the account must change
the password before being allowed to log in again.
# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# grep ^root: /etc/shadow
root:$6$23Bv5nXR$8JWwl8.Dk2xTT7KN7jyloWUfT7ikTAmTIEpeeyfMPHVrOrOwndyTfK.x50yEM.gEvm47RPZ53JhT3ved5EQRs1:16474:0:99999:7:::
Password expiration has now been reset. The 16474 number in the date
field. 16474 days since Jan 1, 1970.
# passwd -d -l root
passwd: password expiry information changed.
# grep ^root: /etc/shadow
root:!:16474:0:99999:7:::
The password has been removed and the account has been locked by
having an impossible to match character placed in the password field.
But the account
Bob
> Bob Proulx wrote:
> > It is the state of an expired password that is a problem.
> > ...
> > It is the state of an expired password that is a problem.
> > What does this say? Example from a system of mine.
> >
> > $ passwd --status root
> > root P 05/01/2010 0 99999 7 -1
> >
> > $ passwd --status root
> > root P 05/01/2010 0 99999 7 -1
> The result of running passwd --status tells me that the password
> needs to be changed as actually I had in my /etc/shadow file only a
> "!" as password in order to safely disable the root account.
That is not what it said. What did it say? Don't paraphrase. Copy
> needs to be changed as actually I had in my /etc/shadow file only a
> "!" as password in order to safely disable the root account.
and paste the result verbatim.
When you looked at the status the password it was expired, right?
The date field said "01/01/1970" didn't it?
> It looks like this is not compatible with the cron.d system.
have an *expired* account. So far nothing you have said offered any
evidence that it was anything different.
> I have changed the password and then locked the account (passwd -l)
> and now it works.
critical part. It was no longer expired. Whew! That is the part
that allowed everything to work.
Then locking the account placed an impossible to match character into
the password field. Traditionally the '*' and '!' are the characters
used for this. Most greybeard unix hackers will always use '*' there
but the password program uses '!' specifically to distinguish manual
modifications from programatic modifications. If you see '*' then a
human did it. If you see '!' then the passwd program did it. That
was the plan anyway. Humans can put '!' there if they want. The
result is the same.
> The thing is that I wanted to remove the password from the
> /etc/shadow file as with the lock option the password is still there
> but with a "!" before it.
root has no password even if that time were short. Use the passwd
command ('passwd -d -r root') to do both operations for you.
# grep ^root: /etc/shadow
root:!:15616:0:99999:7:::
# grep ^root: /etc/shadow
root:!:0:0:99999:7:::
That shows the bad case. The password is "expired". The 0 in the
date of password change field indicates that the account must change
the password before being allowed to log in again.
# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# grep ^root: /etc/shadow
root:$6$23Bv5nXR$8JWwl8.Dk2xTT7KN7jyloWUfT7ikTAmTIEpeeyfMPHVrOrOwndyTfK.x50yEM.gEvm47RPZ53JhT3ved5EQRs1:16474:0:99999:7:::
Password expiration has now been reset. The 16474 number in the date
field. 16474 days since Jan 1, 1970.
# passwd -d -l root
passwd: password expiry information changed.
# grep ^root: /etc/shadow
root:!:16474:0:99999:7:::
The password has been removed and the account has been locked by
having an impossible to match character placed in the password field.
But the account
Bob
0 new messages