$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find Password-Enabled Accounts

You need to identify accounts whose shadow field is not locked with ! or *.

Command

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow

What changed

Nothing changes. The command reads the fixture-local shadow stub and prints accounts whose password field is not locked.

Danger

safe

When to use it

Use during access audits when you need to distinguish locked accounts from accounts that may accept password authentication.

When not to use it

Do not infer SSH password login policy from shadow alone; also check sshd configuration and PAM policy on real systems.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Account names with non-locked password fields.

demo script

Disposable terminal steps

  1. cut -d: -f1,2 fixtures/user-access-audit/etc/shadow
  2. awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ cut -d: -f1,2 fixtures/user-access-audit/etc/shadow
root:!
daemon:*
www-data:*
alex:$y$j9T$demoHashOnlyAlex
deploy:!
reports:!
breakglass:$y$j9T$demoHashOnlyBreakglass
backup:!
::exit-code::0
$ awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
alex
breakglass
::exit-code::0

YouTube Short

Find unlocked passwords.

In a shadow file, locked accounts usually start with an exclamation mark or star. Filter for accounts that do not.

LinkedIn hook

A shell account with an unlocked password hash deserves extra attention.

Question: Do you check locked versus password-enabled accounts during access reviews?

experiments

A/B tests to run

Metric: completion_rate

A: Unlocked password fields.

B: Which accounts can still use passwords?