Hello!
I’m here to ask you for help in determining if my qubes user password has actually expired and why. Below is description of what I’ve been trough today:
I had issue unlocking my screen using my password. After multiple tries and reboots it worked! As soon as I was in I tried to change my password using passwd and it failed:
passwd
Changing password for user user.
Changing password for user.
Current password:
passwd: Authentication token manipulation error
Then I checked my password status with passwd -S:
sudo passwd -S user
user PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)
Quick search told me that 1969-12-31 means the password has expired. But how? Why I wasn’t asked to change it?
Next I ran:
sudo passwd user
Changing password for user user.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
to update my password and the new one has correct date:
sudo passwd -S user
user PS 2022-03-15 0 99999 7 -1 (Password set, SHA512 crypt.)
Right now I’m scared to log out/lock my screen
I appreciate any hints you send my way - what should I look for in logs?
If I don’t reply for too long it means I got locked out again…
Thanks for reply @adw !
That sounds reasonable to me - no password expiration - that’s why I was surprised.
I did a fresh install of Qubes 4.0.4 and I get the same result:
sudo passwd -S user
user PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)
And password works just fine, so maybe I’m mistaken that it has expired in the first place?
I’m curious so I read the passwd man page for the -S option:
-S, --status
This will output a short information about the status of the password
for a given account. The status information consists of 7 fields. The
first field is the user's login name. The second field indicates if
the user account has a locked password (LK), has no password (NP), or
has a usable password (PS). The third field gives the date of the last
password change. The next four fields are the minimum age, maximum
age, warning period, and inactivity period for the password. These
ages are expressed in days.
Notes: The date of the last password change is stored as a number of
days since epoch. Depending on the current time zone, the passwd -S
username may show the date of the last password change that is differ‐
ent from the real date of the last password change by ±1 day.
This option is available to root only.
So the date is the last password change, not the expiration date.
All the details:
PS for usable password (not locked)
1969-12-31 for the last password change
0 for the minimum age
99999 for the maximum age in days (before expiration)
But has your password actually expired, or does it still work? If it still works, then clearly it hasn’t expired (or else “expiration” doesn’t mean what we expected).
I managed to changed it since then. It worked only one time after multiple attempts and reboots. I even typed my password in the user name field to check if it’s correct and then copied it to password field.
There was like 2h break after my attempts and when it finally worked - is it possible that I got locked out for that period due to too many tries?
faillock --user user
Nope, this returns nothing, is there something else I can check?