As most of you might know, LINUX stores the user password information in the shadow file which can be accesses from /etc/Shadow. For those ofyou, who are experts in LINUX, reading the shadow file and obtaining password related information might be easy. However for those new/un-aware of the LINUX system but still have to audit them often, this tool might be of great help. This is a simple script which analyzes the shadow file and provides the output in a simple text file. The output file has the following information
1. User Name
2. Password Set to Expire (YES/NEVER)
3. Account Status (Disabled/Active)
4. Password Last Changed (in Days)
This is how a etc\shadow file looks like and has the following information
/etc/shadow file fields
(Fig.01: /etc/shadow file fields)
User name : It is your login name
Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.
I hope this small tool will make the lives of the auditor a little easier. Reach me at arvind.mehta16@gmail.com and I would send you this free tool.
Arvind
Technology Risk Advisor