the BBS Xchange
the BBS Xchange

  • Listing locked user accounts on Linux

    From Chris Perrault@VERT/DMINE to All on Sat Apr 21 23:33:58 2012
    I curious how others go about getting a listing of locked user accounts on Linux?
    I ask because where I work we use the getprpw command on our HP-UX machines, but the same command isn't available on our RedHat servers. I did a Google and found references to the -S of the passwd command. Since I can only enter one username at a time, I was able to loop it in a for loop to get the desired results, so I have something to work with.
    Since there's a probably a million ways to skin this cat, I figured I'd try to see what others here might do as an alternative?

    Chris

    ---
    ■ Synchronet ■ Diamond Mine Online - bbs.dmine.net - Fredericksburg, VA USA
  • From Chris Trainor@VERT/FLEETHQ to Chris Perrault on Wed Apr 25 18:57:19 2012
    Re: Listing locked user accounts on Linux
    By: Chris Perrault to All on Sat Apr 21 2012 23:33:58

    I curious how others go about getting a listing of locked user accounts on Linux?

    Depends on the config, but most modern Linux boxes keep the passwords
    stored in a text file. /etc/shadow. The password itself is encrypted,
    but if the password field starts with a ! then the account is locked.

    The password field in the shadow file is the 2nd field. (first being
    the username).

    --Chris

    ---------------------------------
    Chris Trainor - FleetHQ BBS
    telnet://bbs.fleethq.org

    ---
    ■ Synchronet ■ FleetHQ BBS - Greenville, RI
  • From John Guillory@VERT/MAINLINE to Chris Trainor on Thu Apr 26 11:38:57 2012
    Re: Listing locked user accounts on Linux
    By: Chris Trainor to Chris Perrault on Wed Apr 25 2012 06:57 pm

    I curious how others go about getting a listing of locked user accounts
    on Linux?
    Depends on the config, but most modern Linux boxes keep the passwords stored in a text file. /etc/shadow. The password itself is encrypted,
    but if the password field starts with a ! then the account is locked.
    The password field in the shadow file is the 2nd field. (first being
    the username).
    fyi, the older less secure method was /etc/passwd, but most systems
    have their passwords shadow'ed... Actually, /etc/passwd should also
    get you a list of user accounts and passwords, as well as groups and
    user id's, etc...

    ---
    ■ Synchronet ■ Roach Guts -- kingcoder.net
  • From Chris Trainor@VERT/FLEETHQ to John Guillory on Wed May 2 01:06:02 2012
    Re: Listing locked user accounts on Linux
    By: John Guillory to Chris Trainor on Thu Apr 26 2012 11:38:57

    fyi, the older less secure method was /etc/passwd, but most systems
    have their passwords shadow'ed... Actually, /etc/passwd should also
    get you a list of user accounts and passwords, as well as groups and
    user id's, etc...

    Yes, /etc/passwd still exists on modern systems, but you cannot tell if
    the user account is locked out from that.

    Anyone not using shadow passwords (or something else even more secure
    like Kerberos/LDAP/etc) is generally begging to be hacked. :)



    --Chris

    ---------------------------------
    Chris Trainor - FleetHQ BBS
    telnet://bbs.fleethq.org

    ---
    ■ Synchronet ■ FleetHQ BBS - Greenville, RI
  • From John Guillory@VERT/MAINLINE to Chris Trainor on Wed May 2 09:18:25 2012
    Re: Listing locked user accounts on Linux
    By: Chris Trainor to John Guillory on Wed May 02 2012 01:06 am

    Yes, /etc/passwd still exists on modern systems, but you cannot tell if
    the user account is locked out from that.
    I often wondered why folks used to make it sound like 'shadowed' passwords
    where secure, all it looked like they was doing was moving the file to
    another location.... ;-)

    Back to the distributions, the basic's of linux command line and commands are generally the same. The only benifiets of various distributions is usually ease of use to download and install apps, and a pretty looking default window manager, etc. With that being said, get familiar with apt-get (or slapt-get, which has the same syntax), yum, and rpm and you should be set for about anything. I used Centos, Ubunto, Slackware, Mandrake, redhat, Mandrivia, and recently Debian. I've also dabbled in Gentoo, but don't remember enough of it... Either way, Ubunto and Centos used Yum, Mandrake/Redhat/Mandrivia had RPM, and the rest used either apt-get or slapt-get. You could probably write a script to standardize the various distributions for folks not wanting to learn any other commands... Eg. write a script called install.sh and have it automatically call either apt-get, slapt-get, yum, or apt4rpm, whichever is appropriate, then distribute the script on all major distributions... From what I understand, folks recommend apt4rpm, yum, slapt-get, or apt-get better than the original package installation methods when those are not the normal method, because they check for dependencies and don't allow for broken dependencies...

    ---
    ■ Synchronet ■ Roach Guts -- kingcoder.net
  • From Poindexter Fortran@VERT/REALITY to John Guillory on Wed May 2 09:39:25 2012
    Re: Listing locked user accounts on Linux
    By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

    Back to the distributions, the basic's of linux command line and commands ar generally the same. The only benifiets of various distributions is usually ease of use to download and install apps, and a pretty looking default windo manager, etc.

    Did they solve the init wars? I remember some distros and BSD used a single init script, where AT&T SYSV had the rc*.d structure that Linux uses now.

    being a 'nix sysadmin in a mixed environment's always fun. I managed a Solaris mail infrastructure, Linux boxes for DNS, and BSD for the web site. Oh, and Irix on the desktop! Keeping patches straight gave me my first grey hairs!

    .: poindexter fortran :: pf at realitycheckbbs dot org :.

    ---
    ■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org
  • From Deuce@VERT/SYNCNIX to John Guillory on Wed May 2 18:56:52 2012
    Re: Listing locked user accounts on Linux
    By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

    I often wondered why folks used to make it sound like 'shadowed' passwords
    where secure, all it looked like they was doing was moving the file to
    another location.... ;-)

    /etc/passwd is readable by all users. The shadow password isn't. When the password is placed in the shadow password file, it is secure.

    ---
    http://DuckDuckGo.com/ a better search engine that respects your privacy.
    ■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)
  • From Deuce@VERT/SYNCNIX to Poindexter Fortran on Wed May 2 18:58:07 2012
    Re: Listing locked user accounts on Linux
    By: Poindexter Fortran to John Guillory on Wed May 02 2012 09:39 am

    Did they solve the init wars? I remember some distros and BSD used a single init script, where AT&T SYSV had the rc*.d structure that Linux uses now.

    BSD has used the rc.d files forever... SYSV has the "runlevel" concept and is still used by some Linux distros.

    There are new init schemes around too to allow parallel init.

    ---
    http://DuckDuckGo.com/ a better search engine that respects your privacy.
    ■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)
  • From Bbsing.Bbs@VERT/DARKSANC to John Guillory on Wed May 2 22:25:00 2012
    John Guillory wrote to Chris Trainor <=-

    @VIA: VERT/MAINLINE
    @MSGID: <4FA14231.18.dove-nix@kingcoder.net>
    @REPLY: <4FA0C0BA.175.dove-nix@fleethq.macross.com>
    Re: Listing locked user accounts on Linux
    By: Chris Trainor to John Guillory on Wed May 02 2012 01:06 am

    Yes, /etc/passwd still exists on modern systems, but you cannot tell if
    the user account is locked out from that.
    I often wondered why folks used to make it sound like 'shadowed' passwords
    where secure, all it looked like they was doing was moving the file
    to
    another location.... ;-)

    The passwords will not be revealed because there is no reverse on the hash. That's the point of the shadow file. They are just a hash.



    --- MultiMail/Linux v0.49
    ■ Synchronet ■ Dark Sanctuary darksanctuary.servebbs.com
  • From John Guillory@VERT/MAINLINE to Bbsing.Bbs on Thu May 3 06:08:02 2012
    Re: Listing locked user accou
    By: Bbsing.Bbs to John Guillory on Wed May 02 2012 10:25 pm

    The passwords will not be revealed because there is no reverse on the
    hash. That's the point of the shadow file. They are just a hash.
    So if you used a /etc/password, the passwords would be stored in clear
    text? They both looked the same and all systems I used allways had
    shadow password files, so I assumed they was the same except the lack
    of the codes for the password...

    ---
    ■ Synchronet ■ Roach Guts -- kingcoder.net
  • From Orion Blastar@VERT to Deuce on Thu May 3 10:40:31 2012
    Re: Listing locked user accounts on Linux
    By: Deuce to John Guillory on Wed May 02 2012 06:56 pm

    Re: Listing locked user accounts on Linux
    By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

    I often wondered why folks used to make it sound like 'shadowed' passwords
    where secure, all it looked like they was doing was moving the file to
    another location.... ;-)

    /etc/passwd is readable by all users. The shadow password isn't. When the password is placed in the shadow password file, it is secure.



    We used to sanitize inputs so someone couldn't enter as a user name:

    Bill The |cat /ect/passwd

    Then it would execute the command after the pipe and cat the password list to their console. But yes shadowed passwords give an asteris * instead of the password in that file.

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ telnet://vert.synchro.net
  • From Deuce@VERT/SYNCNIX to Bbsing.Bbs on Thu May 3 13:20:23 2012
    Re: Listing locked user accou
    By: Bbsing.Bbs to John Guillory on Wed May 02 2012 10:25 pm

    The passwords will not be revealed because there is no reverse on the hash. That's the point of the shadow file. They are just a hash.

    The original /etc/passwd was a salted hash as well, but having that info publicly available (anyone can read /etc/passwd) made distributed attacks relatively simple.

    The point of the shadow file is to make those hases not available for bulk cracking.

    ---
    http://DuckDuckGo.com/ a better search engine that respects your privacy.
    ■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)
  • From Deuce@VERT/SYNCNIX to Orion Blastar on Thu May 3 13:21:30 2012
    Re: Listing locked user accounts on Linux
    By: Orion Blastar to Deuce on Thu May 03 2012 10:40 am

    We used to sanitize inputs so someone couldn't enter as a user name:

    Yeah, but anyone who was a user could read the hashed passwords and perform an attack against the entire file. Such utilities were common at the time (likely
    still are).

    ---
    http://DuckDuckGo.com/ a better search engine that respects your privacy.
    ■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)