How can I determine who (or what) has blocked access to a centos user account?

Question

CentOS 5.x

A user account on my CenTOS server has become inaccessible and I'm not sure why.

If I run chage -l foo I see:

Minimum:     0
Maximum:     0 
Warning:     5
Inactive     -1
Last Change:         July 17, 2012
Password Expires:     Never
Password Inactive:    Never
Account Expires:      Never

I'm not sure what the -1 means but as far as I can tell based on the other settings, the system shouldn't expired or automatically lock out.

Assuming that's the case, where else can I look to troubleshoot this?

Also, will the symptoms appear the same if the account is automatically locked vs administratively disabled vs just having a changed password?

Update: I checked /var/log/secure and I'm seeing:

Aug  9 07:11:14 foo sshd(pam_unix)[15122]: account foo has expired (failed to change password)
Aug 10 19:12:33 foo sshd(pam_unix)[900]: account foo has expired (failed to change password)

Interestingly enough, I'm also noticing entries like:

Aug 13 10:12:00 foo sshd(pam_unix)[23222]: password for user foo will expire in 0 days

Does this last entry mean that the password will never expire? Or that it will expire today?

What are the error messages you are seeing ? Does /var/log/secure have any relevant messages ? — user9517, Aug 10 '12 at 16:00

quanta · Accepted Answer · 2012-08-13T16:19:02.307

I'm not sure what the -1 means

man chage says:

   -I, --inactive INACTIVE
       Set the number of days of inactivity after a password has expired before the account is locked. The
       INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the
       system administrator before being able to use the system again.

       Passing the number -1 as the INACTIVE will remove an account's inactivity.

UPDATE Mon Aug 13 23:02:37 ICT 2012

account foo has expired (failed to change password)

It means that the foo account is expired and inactive. Reset his password.

password for user foo will expire in 0 days
Does this last entry mean that the password will never expire? Or that it will expire today?

That's why you see the Inactive -1 when running chage -l foo. The foo account will be inactive immediately after expiration.

If you set --inactive to different value than -1, the foo account has chance to do a "grace login" to change his password.

Thanks for the feedback. For this specific account, I never want it to become inactive or expire. How can I prevent this from happening again? — Mike B, Aug 13 '12 at 17:15

How can I determine who (or what) has blocked access to a centos user account?

1 Answers1

Linked