UNIX for Dummies Questions & Answers

Hi,
I am doing an audit and thought I knew what I was doing, but reading through the posts I came into doubt.
On Sun Solaris, I want to know when users last changed their passwords. I have the etc/shadow files and there is a nice field showing this. Except that it is disturbing me somewhat that for example the root password is indicated as having been last changed in 1987 on a computer that was installed in 2011? Some users have apparently never changed their passwords, despite that we have password rules in place, in etc/passwd.
Searching the forums here I found 2 threads dealing with password change logging, but the answer seems to be that there is no trace of last password change and that the login process does not write to the shadow file - and then I'm confused to bits! The man page says that last password change is written to shadow. It also indicates if the last login was successful. I am not talking about accounts marked with LK or NP.

Can somebody tell me the "truth" (and nothing but ...)
Thanks
Norgaard

The "logins" command may help. See "man logins".
The output from this command is suitable for processing in scripts but beware that dates are in American format.

Code:

logins -xto

Found this script online. Try running this and see what your results show and then please paste them if you can. Does it still show 1987?

Code:

#!/usr/bin/perl
  
  # Output date format is YYYY-MM-DD
  open( S, "/etc/shadow" );
  while( <S> ) 
 { 
 ($user,$lastchg) = (split /:/)[0,2];
  @t = localtime( $lastchg*86400 );
  printf "User %-8s last changed password %0.4d-%0.2d-%0.2d (%5d)\n",
  $user, $t[5]+1900, $t[4]+1, $t[3], $lastchg; 
 } 
 close( S ); 
 exit 0;

I can't run the script, because I don't have access to unix/linux at work. The first 3 columns are "root, encrypted pwd, 6445". The 6445 is to my understanding the days counting from 1/1/1970, i.e. 25 August, 1987. Is that not correct?
Update: I came to think, could it be that the machine has been installed from a backup tape or an image and hence inherits all this stuff?

Another question for me is that in the shadow file, there are the columns min and max password days to change, which generally, but not always, are from the default password policy. If these columns are empty, does it mean that these rules do not apply (that's what I think) or that the default policy applies, except for root?

You are right in that if the columns for min and max are not in the shadow file then the policy isnt yet affecting the account. Usually if you have a password policy in place then once the pw is reset those settings would come into play.

You are also right about the 6445 in the shadow file being days since Jan 1 1970.

Alot of applications that help sync passwords from machine to machine may copy the shadow entry for root from one box to another, someone or something may have copied this simply to sync the root pw using like a sed script.

OK, thx. Then I am not as mad as I feared!