Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Using PAM to log password changes?

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Using PAM to log password changes?
# 1  
Old 04-21-2010
Using PAM to log password changes?
Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too.

So everything is fine, but I want solid proof in case this happens again. I know I can see when people have been logged in with the command 'last', but I would need to correlate that to the actual password change time. So I'd like to have the system log whenever someone (eg, her) sudo's to change another user's (eg, mine) password.

I was told I can do this with PAM, but I looked at the documentation and it seemed to be mostly more about authentication and stuff, and I couldn't figure out how to log it. Can anyone help me?

Thanks!

PS: also, I'm aware that there's nothing I can do to prevent this happening again as long as she has root access. But I want proof in case it happens again. And I'm not trying to do anything to her, I'm just trying to protect myself and log password changes to MY account.
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Forum Support Area for Unregistered Users & Account Problems

Password sent via reset password email is 'weak' and won't allow me to change my password

I was unable to login and so used the "Forgotten Password' process. I was sent a NEWLY-PROVIDED password and a link through which my password could be changed. The NEWLY-PROVIDED password allowed me to login. Following the provided link I attempted to update my password to one of my own... (1 Reply)
Discussion started by: Rich Marton
1 Replies

2. Linux

Password hardening using pam

Hi We have a requirement to vary the minimum password criteria by the group to which a user belongs. For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14... (1 Reply)
Discussion started by: gregsih
1 Replies

3. Solaris

Can't Log into Solaris 10 u10 due to Pam and DH errors

Dears,, i hope everything is going fine with you,, Yesterday i was trying to log into My Solaris 10 u10 x86 Via SSH , But it showing me many error message and refusing to login even with with the root account and below you can find the error message: # ssh -v root@192.168.10.1... (6 Replies)
Discussion started by: ieee99
6 Replies

4. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

5. Solaris

Solaris and PAM Password policy

Hello All, I have Sun DSEE7 (11g) on Solaris 10. I have run idsconfig and initialized ldap client with profile created using idsconfig. My ldap authentication works. Here is my pam.conf # Authentication management # # login service (explicit because of pam_dial_auth) # login ... (3 Replies)
Discussion started by: pandu345
3 Replies

6. Solaris

Can't SSH log in without password.

I am working on Solaris 10 Sparc. While ssh trust relation building for SUN-CLUSTER on server, I am facing issue. I can log in from server2 to serer1 direactly but when i log in to server1 from server2 it prompts password. root@app1 # ssh app2 Last login: Wed Jul 27 14:08:14 2011... (0 Replies)
Discussion started by: anand87
0 Replies

7. Solaris

Is there a log for password change?

hi, i am try to find the log if some one change the password for any account. plz help me to find this log. thanks. ---------- Post updated 05-04-10 at 12:50 AM ---------- Previous update was 05-03-10 at 01:43 AM ---------- what i am looking for is the log message from the system for... (8 Replies)
Discussion started by: mahm_14
8 Replies

8. Solaris

Pam Module sending a cannot get password enry after certain period in /var/adm/messag

Pam Module sending a cannot get password enry after certain period in /var/adm/message. pam_login_limit(auth): Cannot get Password entry for user 'dbsnmp' What is dbsnmp? Also if account is locked does pam module checks for this locked account at regular interval and keeps on posting... (2 Replies)
Discussion started by: student2009
2 Replies

9. Solaris

PAM, Solaris, Openssh and Forcing a password change

Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
Discussion started by: woodson2
7 Replies

10. UNIX for Dummies Questions & Answers

password not prompt when doing a remote log in

hi when i do a remote log in to server A from other servers using root account, i am able to log in to server A without keying in any password. right now i would like to find out which files am i suppose to set in order to prompt user for password everytime they do a log in from other server.... (1 Reply)
Discussion started by: legato
1 Replies
Login or Register to Ask a Question

LEARN ABOUT LINUX

pam_pwhistory

PAM_PWHISTORY(8)						 Linux-PAM Manual						  PAM_PWHISTORY(8)

NAME

       pam_pwhistory - PAM module to remember last passwords

SYNOPSIS

       pam_pwhistory.so [debug] [use_authtok] [enforce_for_root] [remember=N] [retry=N] [authtok_type=STRING]

DESCRIPTION

       This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the
       same password too frequently.

       This module does not work together with kerberos. In general, it does not make much sense to use this module in conjunction with NIS or
       LDAP, since the old passwords are stored on the local machine and are not available on another machine for password history checking.

OPTIONS

       debug
	   Turns on debugging via syslog(3).

       use_authtok
	   When password changing enforce the module to use the new password provided by a previously stacked password module (this is used in the
	   example of the stacking of the pam_cracklib module documented below).

       enforce_for_root
	   If this option is set, the check is enforced for root, too.

       remember=N
	   The last N passwords for each user are saved in /etc/security/opasswd. The default is 10.

       retry=N
	   Prompt user at most N times before returning with error. The default is 1.

       authtok_type=STRING
	   See pam_get_authtok(3) for more details.

MODULE TYPES PROVIDED

       Only the password module type is provided.

RETURN VALUES

       PAM_AUTHTOK_ERR
	   No new password was entered, the user aborted password change or new password couldn't be set.

       PAM_IGNORE
	   Password history was disabled.

       PAM_MAXTRIES
	   Password was rejected too often.

       PAM_USER_UNKNOWN
	   User is not known to system.

EXAMPLES

       An example password section would be:

	   #%PAM-1.0
	   password	required       pam_pwhistory.so
	   password	required       pam_unix.so	  use_authtok

       In combination with pam_cracklib:

	   #%PAM-1.0
	   password	required       pam_cracklib.so	  retry=3
	   password	required       pam_pwhistory.so   use_authtok
	   password	required       pam_unix.so	  use_authtok

FILES

       /etc/security/opasswd
	   File with password history

SEE ALSO

       pam.conf(5), pam.d(5), pam(8) pam_get_authtok(3)

AUTHOR

       pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de>

Linux-PAM Manual						    06/04/2011							  PAM_PWHISTORY(8)