Linux – finding exact date/time when a user changed his password last time

linux

does linux store such info about date/hour/minute/second when give user password was changed last time? If so, with which command can view it?

"chage -l user" shows only the day when the password was changed.

kind regards,

Best Answer

  • Should be an entry in a log saying when passwd was run & by whom, similar to:

    Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
    Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
    Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed
    

    The log file varies depending on the distro, should be somewhere in /var/log though, so something like this should search them all (except maybe old gz'd files, try zgrep?):

    grep -R -i passwd /var/log/*
    

    Probably in /var/log/auth.log on Debian, or /var/log/secure on Redhat

    But if this user can run any commands, they could edit logs too... so watch for unlimited sudo access.

    More info: