How to view the history of the command "passwd <username>"
You can't tell who issued a passwd
and from where.
But my Ubuntu is configured to log password changes to /var/log/auth.log
and my RHEL and CentOS log password changes to /var/log/secure
, if they are made with the passwd command. You will see pam_unix(passwd:chauthtok): password changed for
messages.
So unless somebody modified /etc/shadow directly (possible for an admin) you can see when a password was set.
When the current password was set is also stored in /etc/shadow
See https://linux.die.net/man/3/shadow and https://linux.die.net/man/5/shadow
The third field in the file containing the password hashes /etc/shadow
is sp_lstchg
- the number of days since Jan 1, 1970 when the password was last changed.
root@serverfault:~# grep root /etc/shadow
root:*:17928:0:99999:7:::
^^^^^
root@serverfault:~# date --date '1970-01-01 +17928days'
Fri Feb 1 00:00:00 CET 2019
Related videos on Youtube
Prince Tagoe
Updated on September 18, 2022Comments
-
Prince Tagoe over 1 year
I'am looking for a way to audit the history of password change for the user
root
(thepasswd
command) for a local network server.How i can view the date and/or the time of execution this command and by IP address?