changing password

itsgeorge · July 6, 2004, 6:00am

Hi

Someone logged on the system with a Normal user and changed the password , for this user , how can i know ? who changed the password from which terminal ?

regards

Georges

malcom · July 6, 2004, 6:06am

Hi,

I am not sure if I understood your question right ... but if you mean how you can see when a user changed his password and where, you can/should do two things.

The first thing, which is necessary anyway for a user system, is to monitor the passwd/shadow files ... Then you see when something changed.
An to see where the password was changed you could activate/configure the accounting on the machine.

But why do you want to know this ?

regards
malcom

itsgeorge · July 6, 2004, 6:26am

Hi

I am the system administrator on a unix machine , there is a user called "tabs" , someone changed the password for this user , the root password is only with me .

the question is , how can i know who changed the password , i need some information for who changed the password ( IP address , Terminal , .......)

i found the following messages in /var/adm/messages

Jul 2 09:21:13 Billtest last message repeated 1 time
Jul 2 09:22:06 Billtest login: [ID 376080 auth.crit] change password failure: A
uthentication token manipulation error

larry · July 8, 2004, 1:13pm

itsgeorge,

If this is just on one machine, you can look at the shadow or passwd file to see when it was last change. This would give you the time in which it was change. If he/she log on as tabs and change the password, there is no way for you to know who did it. If the user had log on as himself and the su to tabs, then your log should show when someone change to tabs ( look at around the same time frame that the passwd fiel was change). If you have a main server that handles the passwd file then I would use command last and look at around the same time frame that the file was change to see who log on. I think over all you can get the time it was change but can only get close to the person, unless you had install some security script or program to handle this.

itsgeorge · July 9, 2004, 1:39am

Hi there

thanks for your reply  , i appreciate it

i will see how can i install some scripts for that .

Regards
george

RTM · July 9, 2004, 8:11am

You can also look at /var/log/syslog - it may already show what connections were made to the server from where - check through the output from the last command to corrdinate times of who logged in when and from where.