Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 Feb 2021 22:25:28 +0200
From:      Gareth de Vaux <bsd@lordcow.org>
To:        freebsd-questions@freebsd.org
Subject:   user account disappeared
Message-ID:  <YDqquH5y8wM4F7uO@lordcow.org>

next in thread | raw e-mail | index | archive | help
Hi all, one of my users in a jail has mysteriously half disappeared. I've renamed the user to 'lostuser', the password hash, and the process it's running to protect privacy below:

I suddenly can't log in over ssh:

sshd[22485]: Invalid user lostuser from XYZ

# su - lostuser
su: unknown login: lostuser

# ls -ld /home/lostuser
drwx------  8 1012  users  18 Jan 23 11:19 /home/lostuser

$HOME still exists but only showing the userid.

# egrep "1012|lostuser" /etc/passwd
lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash

# egrep "1012|lostuser" /etc/master.passwd 
lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/bash

Entries are still in /etc/*passwd ?

# ls -l /etc/*passwd /etc/group
-rw-r--r--  1 root  wheel   605 Nov  6 16:52 /etc/group
-rw-------  1 root  wheel  4092 Jan 23 12:22 /etc/master.passwd
-rw-r--r--  1 root  wheel  2621 Jan 23 12:22 /etc/passwd

This process is still running, which is a network server which is still functioning:

# ps aux | grep lostuser
1012      56261  0.0  0.1   44952   21288  7  S+J   3Dec20    9:52.21 /usr/local/bin/python3.6 /home/lostuser/xyz

also obviously showing the userid and not the username.


# grep lostuser /var/log/auth.log
...
Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz
Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser
Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz
Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser
Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz
Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser
Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz
Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuser xyz

23 Jan 2021 was the last successful login, and later that day /etc/*passwd was touched due to me changing the
password of a different user, confirmed as the only change from diff'ing against backups.

Last buildworld upgrade on 3 Nov 2020 (host and jail):

$ uname -a
FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue Nov  3 12:11:29 SAST 2020     root@lordcow.org:/usr/obj/usr/src/sys/GENERIC  amd64

The last ports upgrade was 13 Feb 2021, before that I'm not sure.

The last entry in /var/log/userlog was 23 Jul 2020, and:

# ls -l /var/log/userlog 
-rw-------  1 root  wheel  4202 Jul 23  2020 /var/log/userlog


ie. timeline:

23 Jul 2020 Last userlog change
3  Nov 2020 buildkernel/buildworld and reboot
3  Dec 2020 lostuser network server process spawned and still functioning
23 Jan 2021 Last successful login to lostuser
23 Jan 2021 Unrelated user's password intentionally changed with passwd
13 Feb 2021 ports upgrade
27 Feb 2021 Discover user doesn't exist anymore but still has entries in /etc/*passwd and a process running

Any ideas?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YDqquH5y8wM4F7uO>