Sol 8 security question

[reinstalled]

HI,

Hopefully this is an easy one for the community as I am way rust with Solaris security.

Is there an easy way to tell if and when someone changed the root passwd on a Solaris 8 box? sulog shows me nothing unexpected.

Reason I ask is because my boss, then I connected to the server in question via an ssh connection as a non priviledged user. We then issued the su - command. I would expect a password prompt at this point but did not get one. Su just dropped us into the root account with no password.

All I can think of is that someone changed something. On all the rest of my servers out there, 15+ with 5 still on 8
everyone of them prompts for password with su -

Thanks,

 

[elgrandeperro]

Is root /etc/shadow passwd null like
root::13936:0:99999:7:::
(2nd field)


Unfortunately, without things preinstalled like AIDE or accounting it would be hard to find out WHEN it happened. Without the WHEN you cannot narrow down the WHO.

 

[reinstalled]

I did look at /etc/shadow but unfortunately a co worker already went in and set the password. I was looking in there and noticed the NP string in that field.
I assume this is "No Password"?
If so how do I set it to NP? I know that when login happens it first looks up the username, then looks at password "if applicable" Does this indicate that I can set up an accound so the user is never prompted for a password?

 

[elgrandeperro]

If root had NP, then I would suspect that the actual /etc/passwd did not have an x for its password, instead a blank entry. I believe if the x is not present, it does not consult /etc/shadow.

NP is just a marker to say there isn't a password, (it won't match crypt) so can never be logged into using a password.