LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Restoring Password Hash (https://www.linuxquestions.org/questions/linux-server-73/restoring-password-hash-638677/)

zok 04-29-2008 10:41 AM

Restoring Password Hash
 
When we delete users on our system, we run a script that archives their mail and stores a copy of their password hash (and other info) in case we need to perform a quick restore. Is there a way to set a user's password based on the password hash, rather than a plain-text password?

We can always manually replace the hash in /etc/shadow with the old one, but I'm writing a script to automate the restore, so I'm looking for an easy way to do this. I don't really want to use sed or anything that manipulates the shadow file directly; I'm hoping there's another way to do it (the passwd command doesn't seem to have this feature). Any ideas?

Thanks.

forrestt 04-29-2008 11:27 AM

Why don't you just lock their account when you delete users, and unlock them to restore their password?

passwd -l username
passwd -u username

I try not to ever actually remove a user from the system as it leaves any files owned by them with a number as an owner. Also, if another user gets added later and the first user's UID is reused, that user ends up owning all the first user's files.

HTH

Forrest

anomie 04-29-2008 12:22 PM

Quote:

Originally Posted by forrestt
I try not to ever actually remove a user from the system as it leaves any files owned by them with a number as an owner.

I agree that users should be locked/disabled (rather than removed). But I have a longer list of steps to help ensure the person is really 'gone'.

zok 04-29-2008 12:22 PM

We do sometimes lock accounts for a period of time before deleting them (though we're inconsistent), but we always eventually delete them. I have a feeling the lead sysadmin and our supervisor won't go for the idea of locking the accounts and just leaving them there, but I suppose I can give it a shot and see what they say. They may go for the idea of locking them for a month or so before deleting them, which should be enough time to alert us if we locked something we need to unlock. I'm still open to other ideas, as well, though, in the meantime.

Thanks.


All times are GMT -5. The time now is 05:40 PM.