How many bad logins?
With additional thanks to Lambert Rots (ASP4ALL)
What's Up With the flag Field in /etc/shadow on Solaris 11.1? 03Jan13
If you're running Solaris 11.1, and you happen check your /etc/shadow file, you may notice there's been a change to the flags field (the last one)...
bob:$5$GKM8z8qP$ho7oJF3ceAoFo9sH5f.jy4UP16TvzoO7XmSYS81o6QA:15708::::::9874
Prior to Solaris 11.1, this field only contained the following a few easy to read digits which the man page explained as...
flag Failed login count in low order four bits;
remainder reserved for future use, set to zero.
... and this started at 0 and incremented by one every time there was a failed login attempt. Now I'll let you into a secret, the above excerpt was actually taken from Solaris 11.1 which means the documentation hasn't been updated to reflect what you now see in the shadow file. That's correct.
The documentation has deliberately NOT been updated at this stage (Jan 2013) as it is still currently an unstable/private interface and thus not really ready for public consumption. That said, you can easily workout what the rest of the information stored in this field is by looking at the /usr/include/shadow.h file...
/*
* The spwd structure is used in the retreval of information from
* /etc/shadow. It is used by routines in the libos library.
*/
struct spwd {
char *sp_namp; /* user name */
char *sp_pwdp; /* user password */
int sp_lstchg; /* password lastchanged date */
int sp_min; /* minimum number of days between password changes */
int sp_max; /* number of days password is valid */
int sp_warn; /* number of days to warn user to change passwd */
int sp_inact; /* number of days the login may be inactive */
int sp_expire; /* date when the login is no longer valid */
unsigned int sp_flag; /* currently low 15 bits are used */
/* low 4 bits of sp_flag for counting failed login attempts */
#define FAILCOUNT_MASK 0xF
/* next 11 bits of sp_flag for precise time of last change */
#define TIME_MASK 0x7FF0
};
And there's your answer. The last line tells us that the rest of the flag field is used to store the time of the last password change, with the date of that change being stored in the lastchg (3rd) field.
So how do you use that figure?
Well, before I tell you, I must warn...
This is an unstable interface. It can and will most likely change at any time without any notice, so do NOT come to rely on this information.
Right, with that out of the way, lets see how we can interpret this field.
From the shadow.h file we know the last 4 bits are the number of failed login attempts, which can be obtained using (all commands are run at a Bash shell prompt):
$ echo "obase=2;9874" | bc
10011010010010
convert the last 4 bits to decimal
echo $((9874 & 15))
2
$
I've emboldened the last 4 bits. It should be obvious how many failed login attempts there have been, but lets switch these back to decimal to be sure:
$ echo "ibase=2;0010" | bc
2
$
Now for the next 11 bits. To get these we shift up 4 bits:
$ a=9874;((a>>=4));echo $a
617
$
This doesn't tell us much, but I can tell you this is the number of minutes into the day that the password was changed, so lets print this number in base-60:
$ echo "obase=60;617" | bc
10 17
$
Which is correct. I change this user's password today at 10h17, aka 10:17am.
The last two steps can be put into a single command:
$ a=9874;((a>>=4));echo "obase=60;$a" | bc
10 17
$
And there you have it. That is what is going on with the flag field in the /etc/shadow file on Solaris 11.1 and let me reiterate...
This is an unstable interface. It can and will most likely change at any time without any notice, so do NOT come to rely on this information.
I am providing this information just for information's sake and to provide you with a little explanation of what you might see.