Hi all,

I am in DEEP trouble!!! I have recently inherited a Debian box from a departed employee. In it, he installed a timesheet server and a repository that has lots of critical company data stored. The problem is none of us knows Linux! In other words I am a complete Newbie trying to “figure this out” all on my own... A few days ago, I managed to connect the box remotely via Putty. I tried login as root and a few user id’s and passwords, they all worked so I know the box was working great when I got it. I also connected a keyboard, a mouse and a monitor to the box directly and I had Debian working flawlessly – not bad for a Windows user (I thought!). The problem started with me logging in as a different user, then KDE started without asking me (but nice interface I thought!), I then changed the root passwords (just to see I could)... then BAM... I can no longer log in as root, myself or anybody!!! (Why me?!?)

Since then, I have been reading blogs, forums, tutorials and advices from anyone and anything about resetting Linux passwords... nothing seemed to work so far!

Anyway, to let you know what I did, here’s what I have tried:
Power-up Debian Linux box
Hit Ctrl-X to bring up “Debian GNU/Linux – Lilo Boot Menu”
Type “Linux init=/bin/bash”
“root@(none):/# “ prompt appears
Type “passwd root” at “root@(none):/# “
“bash: passwd: command not found” error appears
Type “mount”
“/dev/hda1 on / type ext3 (rw,error=remount-ro)
Proc on /proc type proc (rw)
Sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
tmpfs on /dev type tmpfs (ro)
root@(none):/# ”

By the way, I was not able to locate the infamous /etc/shadow file. I am, however, able to “Cat passwd”, “Cat passwd-” and “Cat passwd.bak” with no problem.

Oh, one last thing, I tried edit the passwd file by using the “vi” command, but I get the following error:
“bash: vi: command not found
root@(none):/# ”

Can you help? Thank you!

Hi, welcome to LQ,

And boy, you have my sympathy.

First of all: why did you shut the thing down? What happens when you
try to boot it normally (w/o the init=/bin/bash)?

Can you see /etc/fstab? What does it look like?

What do you get from an 'ls' where you are?


Cheers,
Tink

the only thing I can think of at this current moment is to boot to run level 1 which is a command prompt with root access without password. next try running ubuntu desktop edition iso; you get it from http://www.ubuntu.com/getubuntu/download. Then using nero or roxio. In roxio click on file(top left corner) and select burn image to disk. Basically the samething thing in nero but click on the last tab in the main work area and select the same option. Once disk is made label it with Ubunt "date made" and "version" just in case you need it for something else. Open the cd drive with a paper clip, insert it into the tiny whole in the cd drive. Put cd in and power on. Next hit enter for keyboard map then hit enter again for the first option "Try Ubuntu with out installing". Once at the desktop look at the top left corner of the screen you should see three words. Programs Places Admin, anyhow click on Places see if any devices are mounted if not then you will need to click on home then navigate to /mnt. Create a new folder just like in windows right click create new folder. give it a meaning full name. close window. next press ctrl + alt + F2 this should bring you to a command prompt, to get back to desktop press ctrl + alt + F7. you will need to use fdisk to discover you block divces and names. The hdd in question should be something like sda adb or sda1 sda2 sdb1 sdb2. You can google linux + fdisk to get the exacts on that software. Once you have that info you can type at the command prompt mount sd? /mnt/"folder name you made". If all this works you should be able to see all the info on that pc. Hopefully you have a thumb drive of some sort or external hard disk drive to save the info to.

any questions just reply to this thread someone will answer your questions.

Hi Tink!

Many thanks for your quick reply! Here are your answers:

First of all: why did you shut the thing down?
Well, I think we all know the answer to this one -- "I am a plain stupid Linux newbie"...


What happens when you try to boot it normally (w/o the init=/bin/bash)?
It would boot to the graphical logon screen with a title that says "Welcome to Linux at devsrv", it then follows with a big "K Desktop Environment" icon, then it asks for Username & Password. (All users Full names and ID's are on the left, I can select any with a click on the mouse."


Can you see /etc/fstab? What does it look like?
Yes, it says:
# /etc/fstab: static file ssytem information.
#
# <file system> <mount point> <type <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / ext3 defaults,errors=remount-ro 0 1
/dev/hda9 /home ext3 defaults 0 2
/dev/hda8 /tmp ext3 defaults 0 2
/dev/hda5 /usr ext3 defaults 0 2
/dev/hda6 /var ext3 defaults 0 2
/dev/hda7 none swap sw 0 0
/dev/hdc /media/cdrom0 iso9960 ro,user,noauto 0 0 root@(none):/#


What do you get from an 'ls' where you are?
abc cdrom etc initrd.img media proc sbin tmp var
bin dev home lib mnt repos_dump srv tmp2 vmlinuz
boot dumpfile initrd lost+found opt root sys usr
root@(none):/#

Cheers!

OK, so things may not be quite as dire. You obviously aren't getting
a PATH set, hence the complaints that i can't find /etc/passwd.

In the current situation I wouldn't try using the passwd method
(considering there's no /etc/shadow) ... have you looked at /etc/passwd ?

Does it, by any chance, have the encrypted password(s) in the 2nd field
(2nd field being the value after the first ":", right after the username)?

Hi murankar!

Thanks for your quick reply. I actually, I tried booting the Linux box up with Knoppix 6. Unfortunately, it doesn't like boot from a CDROM - and I could not hit any F key to change the Bios to boot from the CD...

Thanks!

Francis

Hi Tinkster!

Yes, I can “Cat passwd”, “Cat passwd-” and “Cat passwd.bak” with no problem.

With "cat /etc/passwd": all the password fields have the letter "x" between the user name and the user id number.

With "cat /etc/passwd-": all the password fields have the letter "encripted letters such as $1$YuHUAWYj$..." between the user name and the user id number.

I read somewhere that I should be able to find a /etc/shadow file, but I cannot for some reason?!? In other words, when I do "cat /etc/shadow", it comes back with an error "cat: /etc/shadow: No such file or directory"

Thanks again!

That's very strange behaviour; both the fact that shadow is gone, and the fact that
passwd- contains the hashes. May I suggest that you make a backup-copy of /etc/passwd
(/bin/cp /etc/passwd /etc/passwd.ori) and copy the passwd- file over the existing passwd
(/bin/cp /etc/passwd- /etc/passwd-.ori; /bin/cp /etc/passwd- /bin/cp /etc/passwd).

Reboot, and see whether you can login.

Hi Linkster!

Many thanks for your new reply - I really apprecaite that.

I am now back home, I will do the backup first thing tomorrow morning. I am quite nervous about this, I hope the data is intact, I will be in deep do do if they are lost... Cheers. Good night!

Hi Tink, I am trying to make backup copies of the old passwd & passwd- file as suggested. Unfortunately, after doing "/bin/cp /etc/passwd /etc/pass.ogi", I got this error "/bin/cp: cannot create regular file '/etc/passwd.ori': Read-only file system".

It seems to me that the /etc directory is read-only for some reason?!?

I am still pretty confused with how Linux does things but when I type "mount", the system comes back with the following:

/dev/hda1 on / type ext3 (rw,error=remount-ro)
Proc on /proc type proc (rw)
Sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
tmpfs on /dev type tmpfs (ro)
root@(none):/#

And again, when I do "cat /etc/fstab", it comes back with:
# /etc/fstab: static file ssytem information.
#
# <file system> <mount point> <type <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 / ext3 defaults,errors=remount-ro 0 1
/dev/hda9 /home ext3 defaults 0 2
/dev/hda8 /tmp ext3 defaults 0 2
/dev/hda5 /usr ext3 defaults 0 2
/dev/hda6 /var ext3 defaults 0 2
/dev/hda7 none swap sw 0 0
/dev/hdc /media/cdrom0 iso9960 ro,user,noauto 0 0
root@(none):/#

Any idea? Tahnks Tink!

FY

Hmmm ... did you see error messages about an un-clean
root file-system? If no, it should be safe to go
mount -o remount,rw /dev/hda1


Cheers,
Tink

Hi Tink,

No, I didn't see any unclean root filing system error message when I did the "/bin/cp ..." commands...

Unfortunately, when I issued the command "mount -o remount, rw /dev/hda1", it came back with this error:

EXT3-fs warning: maximal mount count reached, running e2fsck is recommended
EXT3 FS on hda1, internal journal


Any idea? Cheers!

FY

Sorry, I wasn't clear on that; did you see errors pertaining to
file-system problems when the machine was booted?

If you have a current back-up (of course you do, it's a production
box, right?!) it should be safe to go with the suggestion and run
the e2fsck (a file-system check).


Cheers,
Tink

Hi Tink,

I have never seen any errors pertaining to file-system problems when the machine was booted since the passwords were wiped out (i.e. since mid-last week).

The "Maximal mount count reached" problem I mentioned in my last reply was the first time I ever seen it.

As to a current back-up, well, I planned to do it as soon as I get used to running a Linus machine.... and yuk, it's not done and I don't have a copy of any recent backup... having said that, I did a fsck a few days ago and it didn't report any problems... what does e2fsck actually do? Does it force any repair/fixing in case it overwrites any data?

Also, I also find it strange that the /etc/shadow file was gone. As I said in my earlier posting, I ran KDE under a different user account and all hell broke lose from then on. Could KDE delete /etc/shadow for any reason? (a bug may be?). Is it possible to undelete or recover a /etc/shadow file by any chance?

Many thnaks for your help.

FY

OK, that's a normal occurrence then, and not the consequence of
an unclean boot. When one creates an ext2/3(/4?) file-system
it sets a value as to how many reboots/days can pass w/o a
file-system check.

It may, if a block of disk is found faulty/unclean.


I find it hard to imagine that KDE would do that (I wouldn't have
thought that it's being run w/ root privilege levels unless you
log in as root, and hence shouldn't have the power necessary to
kill /etc/shadow - unless your predecessor did something really
stupid and made /etc world-writable). As for undelete - it's not
really an easy thing to do on Linux machines, as a rule of thumb.
There was a utility for ext2 to do this, but with ext3 and journaling
that tool no longer works. One option would be to scan the raw-device
of your root-partition (using grep) for likely content of shadow,
output the context (make sure there's all the accounts in there) and
re-create it that way. Something like
egrep -A 50 "^root:[^:]+:.*$" /dev/hda1
may work; it will also find your passwd and passwd-, so be sure that
the content it outputs is different from passwd, e.g. no user-names
or groups in there. Make sure the number after the -A is large enough
to match ALL your user accounts.





Cheers,
Tink