Is it possible to find out when a user changed their password?

Or to see which user caused the security notice that /etc/spwd.db was changed?

Asked By: tink


On OpenBSD, you need to start process accounting wuth the accton command:

touch /var/account/acct   # The file has to exist before accton
accton /var/account/acct

To have accton enabled at boot time, use:

rcctl enable accounting

which sets accounting=YES in /etc/rc.conf.local.

Anyway, now that you have process accounting enabled, you can use lastcomm to view the list of executed commands, and search for processes named passwd and pwd_mkdb. The output will be shown in reverse, where latest processes are displayed first (according to their termination time, not the time they started):

$ lastcomm passwd pwd_mkdb
passwd[18349]                         -       root                             ttyC1      0.28 secs Thu Mar 28 11:02 (0:00:17.39)
pwd_mkdb[27720]                       -       root                             ttyC1      0.00 secs Thu Mar 28 11:02 (0:00:00.00)
passwd[58119]                         -F      aviro                            ttyC1      0.00 secs Thu Mar 28 11:02 (0:00:00.00)
passwd[1586]                          -       root                             ttyC0      0.22 secs Thu Mar 28 10:11 (0:00:10.02)
pwd_mkdb[27986]                       -       root                             ttyC0      0.00 secs Thu Mar 28 10:11 (0:00:00.00)
passwd[64663]                         -F      aviro                            ttyC0      0.00 secs Thu Mar 28 10:11 (0:00:00.00)

Every successful password change will show in the history at least three processes (more or less at the same time, and also at the same tty:

  1. passwd process owned by root. This command has to be run with elevated privileges, so the exexutable file has the setuid bit set, thus it has root’s effective uid.
  2. pwd_mkdb command also owned by root. It’s self explanatory.
  3. And another passwd, this time under user that changed the password as the owner. This is a process that’s forked from the original passwd command to check if the password is strong enough, and drops privileges back to the real uid. This is fortunate, because if it weren’t for this low privileged child with under the original uid, you had no way to know who ran the command. This process might appear more than one time, if the user provided a password that didn’t adhere to the requirements and had to provide a different password.
Answered By: aviro

And I have discovered a more light-weight method of seeing who changed the password (even though it doesn’t tie it to a specific time-stamp, and would leave me wondering if two or more people were to change passwords on the same day), but given that password changes or addition or deletion of users on those machines happens at best once a year I can live with the risk).

Looking at the time-stamp and checking

diff /var/backups/master.passwd.*
Answered By: tink
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.