Pages

Saturday, March 3, 2012

Password status

Today I needed to check a old web server running a few simple web sites. The owner of the server asked me to check all non system users and their access rights. The first thing I did was checking for all available users: 

# getent passwd
root:x:0:0::/root:/bin/bash
...
nobody:x:99:99:nobody:/:
...
usera:x:1000:100:User A:/home/usera:/bin/bash
userb:x:1001:100:User B:/home/userb:/bin/bash
userc:x:1002:100:User C:/home/userc:/bin/bash
userd:x:1003:100:User D:/home/userd:/bin/bash

The above getent command shows all available users to the system. While the root and nobody account are typical system users the accounts usera - userd are typical non system accounts.The next step was to check if they have a valid password to check if the have acces to the system:

# getent passwd | cut -d ":" -f 1 | while read u; do passwd -S $u; done
root P 05/29/2007 0 -1 -1 -1
...
nobody L 10/28/1996 0 -1 -1 -1
...
usera P 07/11/2007 0 99999 7 -1
userb P 11/08/2008 -1 -1 -1 -1
userc P 08/07/2008 -1 -1 -1 -1
userd P 06/02/2011 -1 -1 -1 -1

The above command runs passwd -S for each user (system and non system) and shows their password status. The letters after the username indicating the following:

L: account is locked
NP: password is not set
P: password is set

The date shows represent the last password change. The four numbers at the end represent the minimum age, maximum age, warning period, and inactivity period for the password (also see man passwd).

In my example I have a webserver accessable by four users with a valid password. To prevent login I have to lock their accounts:

# passwd -l usera
Password changed.
# passwd -S usera
userd L 06/02/2011 -1 -1 -1 -1

As you can see the letter after the username has changed into L - that means the account has been locked.