Password file on system not up to date

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
244
Location
Een echte Hollander
Dear DirectAdmin forum,

A customer of ours says that he needs to request a different password almost every month while they aren't changing the password themselves. Initially I thought this was someone who had a rogue employee changing the user password all the time, but then I looked at the /etc/passwd file. It appears it's not up to date, and I suspect that every time it does somewhat irregularly updates, the user's password changes back to whatever it was on the old file. What's a possible explanation for the following situation to occur?

Today is september 25th 2023, I've just edited the password of the customer, these are the files I see on the rogue server:

ls -al /etc/.passwd.swp /etc/passwd
-rw-r--r-- 1 root root 3230 Aug 7 11:41 /etc/passwd
-rw-r--r-- 1 root root 12288 Dec 21 2022 /etc/.passwd.swp

I expect to see:
ls -al /etc/.passwd.swp /etc/passwd
ls: cannot access /etc/.passwd.swp: No such file or directory
-rw-r--r-- 1 root root 6248 Sep 19 09:39 /etc/passwd
 
I wouldn't worry about /etc/.passwd.swp that only exists when you are editing /etc/passwd, vi creates that copy and you are editing that copy, until you save the file. The fact that /etc/passwd changes by such a large amount (6248 vs 3230 bytes) is concerning. Is that file something you copy/sync to/from another server?
 
The problem is we're looking at 2 different systems. The passwd file on the first example has been edited yesterday and yet it only shows August 7th as most recent edit, and on top of that the .swp file is older for some reason than the main file? I expect to see a file that is non-existent, like on the 2nd example, or at least more recent than the main file
 
I'm affraid I have yet to find a solution for this. Does anyone have any clue where to look and what to look for? Edit: and wether this is a sympton or a cause of my customer not being able to log in.
 
I think you are not saving your changes. When you edit /etc/passwd with vi, it creates a file named /etc/.passwd.swp and all modifications to the file are done on this file, until you tell vi to save the file (:w or :x). Until that save command is issued, /etc/passwd will remain unchanged. I mention vi because that should be the only reason you have the file /etc/.passwd.swp
 
I was thinking exactly the same. But then I started doubting as to why somebody would ever start changing the /etc/passwd file manually by vi or vim. Not really the smartest thing. Which is why I thought maybe DA made some temp file too.
But ideed on editting with vi and not exiting the correct way, a .filename.swp file is left behind.
 
But that could mean that the connection had been killed all the way back in 2022 and the file is still there. I do remember editing such file to give host packets access to SSH before I realised the same could be achieved much more easily in DirectAdmin, which is the correct way. It's possible it's still a left-over from that time. What should I do? Is it safe to delete the .swp? Either way, the regular passwd isn't up to date too, so that means it saves the credentials somewhere else
 
patrickkasie said:
But that could mean that the connection had been killed all the way back in 2022 and the file is still there.
Click to expand...
That might be possible. I don't know if there is a timeout for this or if this is removed after a reboot.

You can safely delete the .swp file, just doublecheck on removing that you really don't delete the original file. :)

The passwd file should contain the login information. For SSH access that is normally mentioned in the user.conf of the specific user and maybe also in the /etc/ssh/sshd.conf file, but as for that last one, I'm not sure what exactly changed about that some versions ago.
 
You must log in or register to reply here.
Back
Top