I curious how others go about getting a listing of locked user accounts on Linux?
I ask because where I work we use the getprpw command on our HP-UX machines, but the same command isn't available on our RedHat servers. I did a Google and found references to the -S of the passwd command. Since I can only enter one username at a time, I was able to loop it in a for loop to get the desired results, so I have something to work with.
Since there's a probably a million ways to skin this cat, I figured I'd try to see what others here might do as an alternative?

Chris

---
■ Synchronet ■ Diamond Mine Online - bbs.dmine.net - Fredericksburg, VA USA

Re: Listing locked user accounts on Linux
By: Chris Perrault to All on Sat Apr 21 2012 23:33:58

I curious how others go about getting a listing of locked user accounts on Linux?

Depends on the config, but most modern Linux boxes keep the passwords
stored in a text file. /etc/shadow. The password itself is encrypted,
but if the password field starts with a ! then the account is locked.

The password field in the shadow file is the 2nd field. (first being
the username).

--Chris

---------------------------------
Chris Trainor - FleetHQ BBS
telnet://bbs.fleethq.org

---
■ Synchronet ■ FleetHQ BBS - Greenville, RI

Re: Listing locked user accounts on Linux
By: Chris Trainor to Chris Perrault on Wed Apr 25 2012 06:57 pm

I curious how others go about getting a listing of locked user accounts
on Linux?

Depends on the config, but most modern Linux boxes keep the passwords stored in a text file. /etc/shadow. The password itself is encrypted,
but if the password field starts with a ! then the account is locked.
The password field in the shadow file is the 2nd field. (first being
the username).

fyi, the older less secure method was /etc/passwd, but most systems
have their passwords shadow'ed... Actually, /etc/passwd should also
get you a list of user accounts and passwords, as well as groups and
user id's, etc...

---
■ Synchronet ■ Roach Guts -- kingcoder.net

Re: Listing locked user accounts on Linux
By: John Guillory to Chris Trainor on Thu Apr 26 2012 11:38:57

fyi, the older less secure method was /etc/passwd, but most systems
have their passwords shadow'ed... Actually, /etc/passwd should also
get you a list of user accounts and passwords, as well as groups and
user id's, etc...

Yes, /etc/passwd still exists on modern systems, but you cannot tell if
the user account is locked out from that.

Anyone not using shadow passwords (or something else even more secure
like Kerberos/LDAP/etc) is generally begging to be hacked. :)



--Chris

---------------------------------
Chris Trainor - FleetHQ BBS
telnet://bbs.fleethq.org

---
■ Synchronet ■ FleetHQ BBS - Greenville, RI

Re: Listing locked user accounts on Linux
By: Chris Trainor to John Guillory on Wed May 02 2012 01:06 am

Yes, /etc/passwd still exists on modern systems, but you cannot tell if
the user account is locked out from that.

I often wondered why folks used to make it sound like 'shadowed' passwords
where secure, all it looked like they was doing was moving the file to
another location.... ;-)

Back to the distributions, the basic's of linux command line and commands are generally the same. The only benifiets of various distributions is usually ease of use to download and install apps, and a pretty looking default window manager, etc. With that being said, get familiar with apt-get (or slapt-get, which has the same syntax), yum, and rpm and you should be set for about anything. I used Centos, Ubunto, Slackware, Mandrake, redhat, Mandrivia, and recently Debian. I've also dabbled in Gentoo, but don't remember enough of it... Either way, Ubunto and Centos used Yum, Mandrake/Redhat/Mandrivia had RPM, and the rest used either apt-get or slapt-get. You could probably write a script to standardize the various distributions for folks not wanting to learn any other commands... Eg. write a script called install.sh and have it automatically call either apt-get, slapt-get, yum, or apt4rpm, whichever is appropriate, then distribute the script on all major distributions... From what I understand, folks recommend apt4rpm, yum, slapt-get, or apt-get better than the original package installation methods when those are not the normal method, because they check for dependencies and don't allow for broken dependencies...

---
■ Synchronet ■ Roach Guts -- kingcoder.net

Re: Listing locked user accounts on Linux
By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

Back to the distributions, the basic's of linux command line and commands ar generally the same. The only benifiets of various distributions is usually ease of use to download and install apps, and a pretty looking default windo manager, etc.

Did they solve the init wars? I remember some distros and BSD used a single init script, where AT&T SYSV had the rc*.d structure that Linux uses now.

being a 'nix sysadmin in a mixed environment's always fun. I managed a Solaris mail infrastructure, Linux boxes for DNS, and BSD for the web site. Oh, and Irix on the desktop! Keeping patches straight gave me my first grey hairs!

.: poindexter fortran :: pf at realitycheckbbs dot org :.

---
■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org

Re: Listing locked user accounts on Linux
By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

I often wondered why folks used to make it sound like 'shadowed' passwords
where secure, all it looked like they was doing was moving the file to
another location.... ;-)

/etc/passwd is readable by all users. The shadow password isn't. When the password is placed in the shadow password file, it is secure.

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)

Re: Listing locked user accounts on Linux
By: Poindexter Fortran to John Guillory on Wed May 02 2012 09:39 am

Did they solve the init wars? I remember some distros and BSD used a single init script, where AT&T SYSV had the rc*.d structure that Linux uses now.

BSD has used the rc.d files forever... SYSV has the "runlevel" concept and is still used by some Linux distros.

There are new init schemes around too to allow parallel init.

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)

John Guillory wrote to Chris Trainor <=-

@VIA: VERT/MAINLINE
@MSGID: <4FA14231.18.dove-nix@kingcoder.net>
@REPLY: <4FA0C0BA.175.dove-nix@fleethq.macross.com>
Re: Listing locked user accounts on Linux
By: Chris Trainor to John Guillory on Wed May 02 2012 01:06 am

Yes, /etc/passwd still exists on modern systems, but you cannot tell if
the user account is locked out from that.

I often wondered why folks used to make it sound like 'shadowed' passwords
where secure, all it looked like they was doing was moving the file
to
another location.... ;-)

The passwords will not be revealed because there is no reverse on the hash. That's the point of the shadow file. They are just a hash.



--- MultiMail/Linux v0.49
■ Synchronet ■ Dark Sanctuary darksanctuary.servebbs.com

Re: Listing locked user accou
By: Bbsing.Bbs to John Guillory on Wed May 02 2012 10:25 pm

The passwords will not be revealed because there is no reverse on the
hash. That's the point of the shadow file. They are just a hash.

So if you used a /etc/password, the passwords would be stored in clear
text? They both looked the same and all systems I used allways had
shadow password files, so I assumed they was the same except the lack
of the codes for the password...

---
■ Synchronet ■ Roach Guts -- kingcoder.net

Re: Listing locked user accounts on Linux
By: Deuce to John Guillory on Wed May 02 2012 06:56 pm

Re: Listing locked user accounts on Linux
By: John Guillory to Chris Trainor on Wed May 02 2012 09:18 am

I often wondered why folks used to make it sound like 'shadowed' passwords
where secure, all it looked like they was doing was moving the file to
another location.... ;-)

/etc/passwd is readable by all users. The shadow password isn't. When the password is placed in the shadow password file, it is secure.

We used to sanitize inputs so someone couldn't enter as a user name:

Bill The |cat /ect/passwd

Then it would execute the command after the pipe and cat the password list to their console. But yes shadowed passwords give an asteris * instead of the password in that file.

---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ telnet://vert.synchro.net

Re: Listing locked user accou
By: Bbsing.Bbs to John Guillory on Wed May 02 2012 10:25 pm

The passwords will not be revealed because there is no reverse on the hash. That's the point of the shadow file. They are just a hash.

The original /etc/passwd was a salted hash as well, but having that info publicly available (anyone can read /etc/passwd) made distributed attacks relatively simple.

The point of the shadow file is to make those hases not available for bulk cracking.

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)

Re: Listing locked user accounts on Linux
By: Orion Blastar to Deuce on Thu May 03 2012 10:40 am

We used to sanitize inputs so someone couldn't enter as a user name:

Yeah, but anyone who was a user could read the hashed passwords and perform an attack against the entire file. Such utilities were common at the time (likely
still are).

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
■ Synchronet ■ My Brand-New BBS (All the cool SysOps run STOCK!)