I recently performed an update to 11.1-RELEASE-p6.
While running mergemaster, both /etc/passwd and /etc/master.passwd appeared with the merge dialogue.
In both cases, it was trying to install the default file, which of course didn't have any of my users within.
As such, I simply selected 'd', to delete the temporary file.
The upgraded completed and all systems are working normally.
Since then, I performed a login locally and noticed that root required no password to login. It caught me off guard as I could have sworn I set a root password during setup of the system. I checked the /etc/master.passwd file and noticed that root has no password.
I doubt the box could have been compromised. It doesn't have any services directly exposed to the internet, only through jails. SSH access to all systems on my network are through certificate auth only and I can't find any nefarious activity or logins in any logs.
So now I am wondering, could mergemaster have removed the password by merging the files, rather than doing nothing as I instructed?
While running mergemaster, both /etc/passwd and /etc/master.passwd appeared with the merge dialogue.
In both cases, it was trying to install the default file, which of course didn't have any of my users within.
As such, I simply selected 'd', to delete the temporary file.
The upgraded completed and all systems are working normally.
Since then, I performed a login locally and noticed that root required no password to login. It caught me off guard as I could have sworn I set a root password during setup of the system. I checked the /etc/master.passwd file and noticed that root has no password.
I doubt the box could have been compromised. It doesn't have any services directly exposed to the internet, only through jails. SSH access to all systems on my network are through certificate auth only and I can't find any nefarious activity or logins in any logs.
So now I am wondering, could mergemaster have removed the password by merging the files, rather than doing nothing as I instructed?
