HPE Community
Operating System - HP-UX
1758362 Members
2430 Online
108868 Solutions
New Discussion юеВ

Password expiry details on trusted system

 
SOLVED
Go to solution
Daniel Neeves
Advisor

тАО09-14-2004 04:32 AM

тАО09-14-2004 04:32 AM

Password expiry details on trusted system

Our environment is as follows; hpux 11i with F-secure ssh 3.3.0 , The issue is we do not get informed of any password expiry warnings when logging on using an ssh client be it windows or unix. As I understand it these message are not available unless we use HP's Openssh which at present is not an option. What we need is how to get details on when a users password is going to expire, then we can script it to give us a nice mail every day informing us something along the lines of "root users password expires DDMMYYYY". I've seen other thread's on here about the same subject but I couldn't find an answer that worked, Any ideas people ??
Like Ya Know !!
0 Kudos
5 REPLIES 5
Sanjay_6
Honored Contributor

тАО09-14-2004 04:42 AM

тАО09-14-2004 04:42 AM

Solution

Re: Password expiry details on trusted system

Hi,

Take a look at this thread from itrc. There is a neat script that notifies the expiration date for all the ids on the server .

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000074740865

The itrc doc id is USECKBAN00000934.

Hope this helps.

Regds
0 Kudos
Sundar_7
Honored Contributor

тАО09-14-2004 04:44 AM

тАО09-14-2004 04:44 AM

Re: Password expiry details on trusted system

I happened to work on a very similar requirement.

Find below the draft version of the script.

NOTE: The script is NOT tested at all. Might even have some blunders :-). You can just use this as a "base" and take it from there.

============================================function last_set_DAY
{
LSPWCHG=$1

THISYEAR=$(date "+%Y")

MONTH=$(echo $LSPWCHG | cut -d" " -f2 )
DAY=$(echo $LSPWCHG | cut -d" " -f3 )
YEAR=$(echo $LSPWCHG | cut -d" " -f5 )

# calculate number of days in the pw change year
#
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
JULIEAP=1 #SET DAY OF YR
else
JULIEAP=0
fi

case $MONTH in
Jan) MMOUNT=0;;
Feb) MMOUNT=31;;
Mar) (( MMOUNT = 59 + JULIEAP ));;
Apr) (( MMOUNT = 90 + JULIEAP ));;
May) (( MMOUNT = 120 + JULIEAP ));;
Jun) (( MMOUNT = 151 + JULIEAP ));;
Jul) (( MMOUNT = 181 + JULIEAP ));;
Aug) (( MMOUNT = 212 + JULIEAP ));;
Sep) (( MMOUNT = 243 + JULIEAP ));;
Oct) (( MMOUNT = 273 + JULIEAP ));;
Nov) (( MMOUNT = 304 + JULIEAP ));;
Dec) (( MMOUNT = 334 + JULIEAP ));;
esac

(( COUNTMONTH = MMOUNT + $DAY ))

# add number of DAY up to this YEAR
#
COUNTDAYS=0
while (( YEAR < THISYEAR ))
do
(( COUNTDAYS = COUNTDAYS + 365 ))
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
(( COUNTDAYS = COUNTDAYS + 1 ))
fi
(( YEAR = YEAR + 1))
done

(( COUNTDAYS = COUNTDAYS + $COUNTMONTH ))
}


#################
#
# Main
#
#################

if [ -r /usr/local/etc/system_roles ] ; then
. /usr/local/etc/system_roles
fi

#################
#
# Figure out the FQDN of the system
#
#################

SYSTEM=$(hostname | nslookup 2> /dev/null | grep Name: | cut -c10-)
SENDER=${SysMgs}

export EXPIRE=2
LOCKED=0
SENDMSG=1
DISABLED=0

awk -F":" '{print $1}' /etc/passwd | xargs -n1 | while read USER
do

echo "$USER" | egrep -q "^smbnull$|^adm$|^bin$|^sys$|^daemon$|^uucp$|^lp$|^nuucp$|^hpdb$|^www$|^soeadm$"

[[ $? -eq 0 ]] && continue

################
#
# Find out the password expiry setting for the user
#
################

EXPTM=$(/usr/lbin/getprpw -l -r -m exptm $USER)
if [ -z "$EXPTM" ] ; then EXPTM=0 ; fi

case $EXPTM in
0|-1)
if [ "$EXPIRE" -gt "0" ] ; then
echo "password for user $USER has not expired"
fi
;;
*) if [ "$EXPIRE" != "1" ] ; then
EXPWARN=$(/usr/lbin/getprpw -l -r -m expwarn $USER)
SPWCHG=$(/usr/lbin/getprpw -l -r -m spwchg $USER)
LFTM=$(/usr/lbin/getprpw -l -r -m lftm $USER)

if [ "$SPWCHG" = "Thu Jan 1 01:00:00 1970" -a "$DISABLED" = "0" ] ; then
echo "user $user never loged in!"
continue
fi
if [ "$spwchg" = "-1" -a "$disabled" = "0" ] ; then
echo "user $user never loged in - date not defined"
continue
fi

last_set_day "$SPWCHG"
days_last_set=$COUNTDAYS
(( CALC_DATE = COUNTDAYS + $EXPTM ))

TODAY=$(date "+%c")
last_set_day "$TODAY"
DAYS_TODAY=$COUNTDAYS

(( EXP_DAYS = CALC_DATE - DAYS_TODAY ))
(( EXP_MSG = EXP_DAYS - EXPWARN ))

if [ "$EXP_DAYS" -ge "$LFTM" ] ; then
EXP_MSG="0"
EXP_DAYS=-1
fi
if [ "$EXP_MSG" -le "0" ] ; then
if [ "$EXP_DAYS" -lt "0" ] ; then
echo "Warning: password for user $user has expired!"
else
if [ "$disabled" = "0" ] ; then
echo "Warning: password for user $user expire in $exp_DAYs DAYs!"
fi
fi
if [ "$SENDMSG" = "1" ] ; then
(
echo "From: $Sender"
echo "Return-Path: <$Sender>"
echo "Subject: Account ${USERNAME}@${SYSTEM} expire in $EXP_DAYS Days!\n"
echo "Dear $USER\n"
echo "your password expire in $EXP_DAYS Days!"
echo "Please login to ${SYSTEM} to change the password. We recommend to use telnet.\n"
echo "Regards Unix Team"
) | sendmail $USER
fi
else
if [ "$DISABLED" = "0" ] ; then
echo "password for user $USER expire in $EXP_DAYS Days!"
fi
fi

fi
;;
esac

done
============================================

I will also watch out to see if any of our forum folks has a better way of achieving the goal.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Sridhar Bhaskarla
Honored Contributor

тАО09-14-2004 12:32 PM

тАО09-14-2004 12:32 PM

Re: Password expiry details on trusted system

HI Daniel,

I was about to implement this script when ssh mania started in our company as openssh versions were not supporting password expiry. I still had to develop it further but we don't need it now anymore.

My idea was to

1. Create a file say /etc/expirytab every day night at 12:00 AM. It's a comma seperated file with user, date of the last password change, date of expiry and days left before password expiry.

2. Put a small script in /etc/profile and /etc/csh.login that does the following

a. Get the user.
b. Get "how many days before the password expires from now" from /etc/expirytab
c. Compare it against site 'notification policy' say 15. If it is less than the notification policy, then print a statement similar to standard notification message along with the other details like when the user changed the password, when the password will expire etc.,

If you want you can even add code into 'script1' to send mails to the users.

As you can see writing the script for 2 is very easy. So, I am not going to do it.

For getting the expiry information, here is the script. You may need to add some checks like if the user file is not there etc., etc. otherwise 'awk' will hang.

#!/usr/bin/ksh

EXPIRE=60
NOW=$(/usr/contrib/bin/perl -e 'printf "%d\n",time()')

if [ ! -d /tcb ]
then
echo "Only on trusted systems"
exit 1
fi

rm -f /etc/expiry.tab


for USER in $(logins|awk '{print $1}')
do
FIRST=`echo $USER|cut -c1`
USERFILE="/tcb/files/auth/${FIRST}/${USER}"
THEN=$(awk '/u_succhg/ {FS="u_succhg";print $2}' $USERFILE | awk '{FS=":";print $1}'|sed '
s/#//')
WHEN_CHANGED=$(echo 0d${THEN}=Y | adb)

(( EXPIRES_ON_DATE = $THEN + ( $EXPIRE * 86400 ) ))
(( EXPIRES_IN_DAYS = ( $EXPIRES_ON_DATE - $NOW ) / 86400 ))

EXPIRES_ON_DATE=$(echo 0d${EXPIRES_ON_DATE}=Y |adb)


echo "$USER,$WHEN_CHANGED,$EXPIRES_ON_DATE,$EXPIRES_IN_DAYS" >> /etc/expirytab
done


-Sri
PS: We compile our own openssh. The latest one 3.8.1p1 does do all kinds of password expiry stuff.
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Daniel Neeves
Advisor

тАО09-15-2004 04:41 AM

тАО09-15-2004 04:41 AM

Re: Password expiry details on trusted system

Cheers for your help guys all good suggestions, I've used the doc sanjay pointed me too and tailored it a bit.

Cheers again
Like Ya Know !!
0 Kudos
Daniel Neeves
Advisor

тАО11-02-2005 03:01 AM

тАО11-02-2005 03:01 AM

Re: Password expiry details on trusted system

Cheers
Like Ya Know !!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.