For security, reason it is necessary to disable all account(s) with no password and lock them down. Solaris, Linux and FreeBSD provide account locking (unlocking) facility.
Lock Linux user account with the following command:
passwd -l {user-name}
For unlocking the account use:
passwd -u {user-name}-l : This option disables an account by changing the password to a value, which matches no possible encrypted value.
Lock FreeBSD user account with the following command:
pw lock {username}FreeBSD unlocking the account use:
pw unlock {username}Lock Solaris UNIX user account with the following command:
passwd -l {username}Lock HP-UX user account with the following command:
passwd -l {username}For unlocking the HP-UX account you need to edit /etc/passwd file using text editor (or use SAM):
vi /etc/passwd
However, how will you find out account without password? Again, with the help of 'passwd -s' (status) command you can find out all passwordless accounts.
Linux display password status
passwd -S {user-name}Where,
-S : Display account status information. The status information consists of total seven fields. The second field indicates the status of password using following format:
- L : if the user account is locked (L)
- NP : Account has no password (NP)
- P: Account has a usable password (P)
# passwd -S radmin
radmin P 10/08/2005 0 99999 7 -1
Solaris UNIX display password status
passwd -s {user-name}Where,
-s : Display account status information using following format:
- PS : Account has a usable password
- LK : User account is locked
- NP : Account has no password
FreeBSD
I have already written about small awk one line approach to find out all passwords less accounts.
Automated Scripting Solution
However, in real life you write a script and execute it from cron job. Here is small script for Linux:
#!/bin/sh USERS="$(cut -d: -f 1 /etc/passwd)" for u in $USERS do passwd -S $u | grep -Ew "NP" >/dev/null if [ $? -eq 0 ]; then passwd -l $u fi done
FreeBSD script:
#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/master.passwd | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done
Sun Solaris script:
#!/bin/sh
USERS=`passwd -sa | grep -w NP | awk '{ print $1 }'`
for u in $USERS
do
passwd -l $u
done
You can easily add email alert support to script so that when ever scripts finds passwordless account(s) it will send an email alert. See the complete working example of script here.
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
![Sending Email With Attachments From Unix / Linux Command [ Shell Prompt ]](http://s0.cyberciti.org/images/rp/1/5.jpg)
{ 3 comments… read them below or add one }
hie,
I just wanted to find out if you could provied me with a script/command that outputs the security settings on a monitor to see if there are accounts without passwords, how many, which ones and if there can be set a minimum password length put in place. Any commands to set password age for any password in effect and similar things.
Your correspondence will be much appreciated.
first we need to give the command
#/etc/default/login . we can edit through vi editor and remove the comment of password aging and password length.
I usually just run the below script and lock the account manually. :)
passwd -Sa | grep NP