How/why my qubes user password has expired?

I’m here to ask you for help in determining if my qubes user password has actually expired and why. Below is description of what I’ve been trough today:

I had issue unlocking my screen using my password. After multiple tries and reboots it worked! As soon as I was in I tried to change my password using passwd and it failed:

Changing password for user user.
Changing password for user.
Current password: 
passwd: Authentication token manipulation error

Then I checked my password status with passwd -S:

sudo passwd -S user
user PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)

Quick search told me that 1969-12-31 means the password has expired. But how? Why I wasn’t asked to change it?

Next I ran:

sudo passwd user
Changing password for user user.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

to update my password and the new one has correct date:

sudo passwd -S user
user PS 2022-03-15 0 99999 7 -1 (Password set, SHA512 crypt.)

Right now I’m scared to log out/lock my screen :joy:
I appreciate any hints you send my way - what should I look for in logs?
If I don’t reply for too long it means I got locked out again…

There shouldn’t be any password expiration in Qubes (unless you configured it to do that yourself).

Thanks for reply @adw !
That sounds reasonable to me - no password expiration - that’s why I was surprised.
I did a fresh install of Qubes 4.0.4 and I get the same result:

sudo passwd -S user
user PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)

And password works just fine, so maybe I’m mistaken that it has expired in the first place?

I’m curious so I read the passwd man page for the -S option:

-S, --status
  This  will output a short information about the status of the password
  for a given account. The status information consists of 7 fields.  The
  first  field  is  the user's login name. The second field indicates if
  the user account has a locked password (LK), has no password (NP),  or
  has a usable password (PS). The third field gives the date of the last
  password change. The next four fields are  the  minimum  age,  maximum
  age,  warning  period,  and  inactivity period for the password. These
  ages are expressed in days.

  Notes: The date of the last password change is stored as a  number  of
  days  since  epoch.  Depending on the current time zone, the passwd -S
  username may show the date of the last password change that is differ‐
  ent from the real date of the last password change by ±1 day.

  This option is available to root only.

So the date is the last password change, not the expiration date.

All the details:

  • PS for usable password (not locked)
  • 1969-12-31 for the last password change
  • 0 for the minimum age
  • 99999 for the maximum age in days (before expiration)
  • 7 for the warning period
  • -1 for inactivity period

So your password will expire in 2243:

python -c "import datetime; print(datetime.datetime.strptime('1969-12-31', '%Y-%m-%d') + datetime.timedelta(days=99999))"
2243-10-15 00:00:00

So thanks @PablO, Today I Learned all the details of the passwd --status command, and also all the readers :wink:

1 Like

Correct, it is the last password change date, but there’s a catch:

1 Like

But has your password actually expired, or does it still work? If it still works, then clearly it hasn’t expired (or else “expiration” doesn’t mean what we expected).

I managed to changed it since then. It worked only one time after multiple attempts and reboots. I even typed my password in the user name field to check if it’s correct and then copied it to password field.

There was like 2h break after my attempts and when it finally worked - is it possible that I got locked out for that period due to too many tries?

faillock --user user

Nope, this returns nothing, is there something else I can check? :thinking: