AIX

A vague idea - can you tcpdump the users' session and find out this way what they enter?

hmm are you sure that i can do that through

Code:

tcpdump

?
cause i tried it and i just see the packets between the computer and server. no user's input is displayed

This depends on the permissions you have on the server, on which you have to run the command. While I did this successfully several years ago, I now reckon that it might be pointless nowadays when e.g. ssh is used...

i can connect as root on the server.
the users are connected via ssh so even if i get the users session (by logging session output) i still cannot see what they enter as password

The other way to try is
cp -p /etc/security/passwd /etc/security/passwd.orig

Now change the password of the user
passwd <user>

Reset the unsuccessful login count
chuser unsuccessful_login_count=0 <user>

Now open a putty session or any other emulator you use and login using new credentials for that user.

And anytime you can replace the old passwd file.

Also, is ssh logging enabled in /etc/syslog.conf file? It can also help you sometimes.

From a software perspective, you are an "attacker". The system is designed to prevent everyone from doing what you are trying to do. Passwords are not generally stored in a reversible way, to prevent people from doing exactly what you want to do -- crack their password. They're hashed instead, which is irreversible. When they enter a password it's also hashed, and the hashes compared to see if they're identical. (More or less. There's salting done -- again, to make it harder to do exactly what you are trying to do.)

In a nutshell, you cannot decrypt a one-way hash function like SHA-1 (unless the hash function has serious security problems in the implementation).

End of story.