user account disappeared
yuripv at yuripv.dev
Sat Feb 27 22:23:11 UTC 2021
Gareth de Vaux wrote:
> Hi all, one of my users in a jail has mysteriously half disappeared. I've renamed the user to 'lostuser', the password hash, and the process it's running to protect privacy below:
> I suddenly can't log in over ssh:
> sshd: Invalid user lostuser from XYZ
> # su - lostuser
> su: unknown login: lostuser
> # ls -ld /home/lostuser
> drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser
> $HOME still exists but only showing the userid.
> # egrep "1012|lostuser" /etc/passwd
> lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash
> # egrep "1012|lostuser" /etc/master.passwd
> lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/bash
> Entries are still in /etc/*passwd ?
> # ls -l /etc/*passwd /etc/group
> -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group
> -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd
> -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd
You should remember that authentication generally does NOT use textual
/etc/passwd and /etc/master.passwd directly and rather relies on
/etc/spwd.db database (see pwd_mkdb(8)) -- what is the timestamp on it?
If it's out of sync, recreate the database using:
/usr/sbin/pwd_mkdb -p /etc/master.passwd
If that helps, *why* it is out of sync is the real question.
> This process is still running, which is a network server which is still functioning:
> # ps aux | grep lostuser
> 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr/local/bin/python3.6 /home/lostuser/xyz
> also obviously showing the userid and not the username.
> # grep lostuser /var/log/auth.log
> Dec 31 10:56:34 ns1 sshd: Accepted publickey for lostuser from xyz
> Dec 31 10:56:57 ns1 sshd: Disconnected from user lostuser
> Jan 10 09:37:05 ns1 sshd: Accepted publickey for lostuser from xyz
> Jan 10 09:37:09 ns1 sshd: Disconnected from user lostuser
> Jan 23 11:19:11 ns1 sshd: Accepted publickey for lostuser from xyz
> Jan 23 11:19:14 ns1 sshd: Disconnected from user lostuser
> Feb 27 18:06:49 ns1 sshd: Invalid user lostuser from xyz
> Feb 27 18:06:49 ns1 sshd: Connection closed by invalid user lostuser xyz
> 23 Jan 2021 was the last successful login, and later that day /etc/*passwd was touched due to me changing the
> password of a different user, confirmed as the only change from diff'ing against backups.
> Last buildworld upgrade on 3 Nov 2020 (host and jail):
> $ uname -a
> FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue Nov 3 12:11:29 SAST 2020 root at lordcow.org:/usr/obj/usr/src/sys/GENERIC amd64
> The last ports upgrade was 13 Feb 2021, before that I'm not sure.
> The last entry in /var/log/userlog was 23 Jul 2020, and:
> # ls -l /var/log/userlog
> -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog
> ie. timeline:
> 23 Jul 2020 Last userlog change
> 3 Nov 2020 buildkernel/buildworld and reboot
> 3 Dec 2020 lostuser network server process spawned and still functioning
> 23 Jan 2021 Last successful login to lostuser
> 23 Jan 2021 Unrelated user's password intentionally changed with passwd
> 13 Feb 2021 ports upgrade
> 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /etc/*passwd and a process running
> Any ideas?
More information about the freebsd-questions