Monday, 27 June 2011

Linux: Recovering deleted /etc/shadow password file

Linux: Recovering deleted /etc/shadow password file

Sometime by accident you may delete /etc/shadow file. If you boot into single user mode, system will ask root password for maintenance, and just imagine you do not have a backup of /etc/shadow file. How do you fix such problem in a production environment where time is critical factor? I will explain how to recover deleted /etc/shadow file in five easy steps. It will take around 10 min. to fix the problem.
Well all it started when one of our client accidentally deleted /etc/shadow file from co-located Debian Linux server. As a result, all account login disabled. However, ftp was working fine because proftpd was build using MySQL database for authentication and quota management.

Boot server into single user mode

1) Reboot server

2) Next, you will see grub-boot loader screen. Select Recovery mode the version of the kernel that you wish to boot and type e for edit. Select the line that starts with kernel and type e to edit the line.

3) Go to the end of the line and type init=/bin/bash as a separate one word (press the spacebar and then type init=/bin/bash). Press enter key to exit edit mode.


4) Back at the GRUB screen, type b to boot into single user mode. This causes the system to boot the kernel and run /bin/bash instead of its standard init. This will allow us gain root privileges (w/o password) and a root shell.

# mount -rw -o remount /

Do not forget to (re)mount your rest of all your partitions in read/write (rw) mode such as /usr /var etc (if any)

Rebuild /etc/shadow file from /etc/passwd

1) You need to use pwconv command; it creates /etc/shadow from /etc/passwd and an optionally existing shadow.

# pwconv

2) Use passwd command to change root user password:

# passwd

3) Now root account are ready to go in multi-user mode. Reboot the system in full multiuser mode:

# sync
# reboot

Step # 4 Block all non-root login

Block all non-root (normal) users until we fix all password related problems. Since rest of account do not have any password, it is necessary to prevent non-root users from logging into the system. You need to create /etc/nologin file, it will allow access only to root. Other users will be shown the contents of this file and their logins will denied (refused)

1) Login as root user (terminal login only)

2) Create /etc/nologin file

cat > /etc/nologin
System is down due to temporary problem. We will restore your access
within 30 minutes time. 

Update all users password in batch mode

1) Create random password for each non-root user using chpasswd utility. It update passwords in batch mode. chpasswd reads a list of user name and password pairs from file and uses this information to update a group of existing users. Each line is of the format:


Remember by default the supplied password must be in clear-text format. 
This command is intended to be used in a large system environment where
many accounts are created at a single time or in emergency like this.
First, we need to find out all non-root accounts using awk command:
awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd > /root/tmp.pass

Make sure /root/tmp.pass file contains non-root usernames only.
2) Create random password with pwgen

By default, pwgen utility is not installed so with the help of apt-get install it:

# apt-get install pwgen

The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. For example following command print the generated password:

# pwgen -1 -n 8

Script to update user password in batch mode using pwgen and chpasswd

# Script to update user password in batch mode
# You must be a root user to use this script
# -------------------------------------------------------------------------
# Copyright (c) 2005 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit for more information.
# ----------------------------------------------------------------------
# /root is good place to store clear text password
# get all non-root user account
# By default on most linux non-root uid starts
# from 1000
USERS=$(awk -F: '{ if ( $3 > 1000 ) print $1}' /etc/passwd)
# create file with random password
echo "Generating file, please wait..."
# overwrite file, this is bash specific a better solution is cat > $FILE
for u in $USERS
p=$(pwgen -1 -n 8) # create random password
echo "$u:$p" >> $FILE # save USERNAME:PASSWORD pair
echo ""
echo "Random password and username list stored in $FILE file"
echo "Review $FILE file, once satisfied execute command: "
echo "chpasswd < $FILE"
# Uncomment following line if you want immediately update all users password,
# be careful with this option, it is recommended that you review $FILE first
# chpasswd < $FILE

Execute script

# chmod +x

# ./

Now update user passwords with chpasswd, by default script creates file in /root/batch.passwd file:

# chpasswd

3) Email new password to server admin or all end users. You can write a script to email password end users.
4) Your system is ready to accept login, just remove /etc/nologin file:

# rm /etc/nologin

No comments:

Post a Comment

Twitter Bird Gadget