topic Re: Password in Operating System - HP-UX

Password

Peter Young_4 — Thu, 12 Aug 2004 09:24:45 GMT

We are running HP-UX11i on an rp8420. I need to find out who changed a password for a particular user and at what time. Are there any logs which may provide me with this information?

Re: Password

Pete Randall — Thu, 12 Aug 2004 09:26:53 GMT

Peter,

The only people that can change the password would be the user themselves or root. To the best of my knowledge this information is not logged anywhere and, even if it was, you would not necessarily know who was logged in as root.

I would suggest that you query anyone who has access to the root password.

Pete

Re: Password

RAC_1 — Thu, 12 Aug 2004 09:35:24 GMT

If system is in trusted mode the time of last successful password change can be known.

/usr/lbin/getprpw -m spwchg "user_name"

On non-trusted systems,

passwd -sa, should give you something.

It is not possible to know who changed it - root or user himself.

Anil

Re: Password

Patrick Wallek — Thu, 12 Aug 2004 09:36:50 GMT

Is this system trusted? If so, you should be able to use the getprpw command to see when the password was changed.

Try this:

# /usr/lbin/getprpw -m spwchg userid

I haven't been able to figure how to get who changed it.

Ways a passwd can be changed:
1) The user themselves
2) root
3) someone with restricted SAM access that can do user maintenance
4) someone with appropriae sudo (or some equivalent program) access

Re: Password

john kingsley — Thu, 12 Aug 2004 09:39:11 GMT

If you have password aging enabled,
passwd -s -a
Will give you the date that the password was last changed.

Re: Password

Muthukumar_5 — Thu, 12 Aug 2004 10:15:19 GMT

IF there is not default (system) way options do then, we can go for scripting as,

Make a script as,

mv /usr/bin/passwd to /usr/bin/passwdorg

And gets the passwd command arguments and call the /usr/bin/passwdorg (original command) in it.

Here include your debug statments of date,userasked informations of full command line arguments to a logfile (/var/adm/syslog/passwdlog ).

Move this script to /usr/bin/passwd location so that all passwd actions will be logged.

HTH.

Regards
Muthu

Re: Password

Peter Young_4 — Thu, 12 Aug 2004 10:20:03 GMT

Anil got there first. Thanks for all your help chaps.

Pete

Re: Password

Sundar_7 — Thu, 12 Aug 2004 10:28:46 GMT

on a 11i (atleast in my machine :-)) trusted system, if the user password is changed by root, the next time the user logs in, a message similar to the one is displayed

login: swamins1
Your password was changed by root
Password:

If the password was changed by the user itself, the user will not see any message.

u_pwchanger is the field in the TCB file that contains the username of the user that changed the password.

u_pwchanger This field records the user id of the last person to
change the account password if that user was not the
same the account's user. This is used to warn the user
at login time if the account password has been changed
possibly without the knowledge of the user.