- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Password expiry details on trusted system
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 04:32 AM
тАО09-14-2004 04:32 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 04:42 AM
тАО09-14-2004 04:42 AM
SolutionTake a look at this thread from itrc. There is a neat script that notifies the expiration date for all the ids on the server .
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000074740865
The itrc doc id is USECKBAN00000934.
Hope this helps.
Regds
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 04:44 AM
тАО09-14-2004 04:44 AM
Re: Password expiry details on trusted system
Find below the draft version of the script.
NOTE: The script is NOT tested at all. Might even have some blunders :-). You can just use this as a "base" and take it from there.
============================================function last_set_DAY
{
LSPWCHG=$1
THISYEAR=$(date "+%Y")
MONTH=$(echo $LSPWCHG | cut -d" " -f2 )
DAY=$(echo $LSPWCHG | cut -d" " -f3 )
YEAR=$(echo $LSPWCHG | cut -d" " -f5 )
# calculate number of days in the pw change year
#
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
JULIEAP=1 #SET DAY OF YR
else
JULIEAP=0
fi
case $MONTH in
Jan) MMOUNT=0;;
Feb) MMOUNT=31;;
Mar) (( MMOUNT = 59 + JULIEAP ));;
Apr) (( MMOUNT = 90 + JULIEAP ));;
May) (( MMOUNT = 120 + JULIEAP ));;
Jun) (( MMOUNT = 151 + JULIEAP ));;
Jul) (( MMOUNT = 181 + JULIEAP ));;
Aug) (( MMOUNT = 212 + JULIEAP ));;
Sep) (( MMOUNT = 243 + JULIEAP ));;
Oct) (( MMOUNT = 273 + JULIEAP ));;
Nov) (( MMOUNT = 304 + JULIEAP ));;
Dec) (( MMOUNT = 334 + JULIEAP ));;
esac
(( COUNTMONTH = MMOUNT + $DAY ))
# add number of DAY up to this YEAR
#
COUNTDAYS=0
while (( YEAR < THISYEAR ))
do
(( COUNTDAYS = COUNTDAYS + 365 ))
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
(( COUNTDAYS = COUNTDAYS + 1 ))
fi
(( YEAR = YEAR + 1))
done
(( COUNTDAYS = COUNTDAYS + $COUNTMONTH ))
}
#################
#
# Main
#
#################
if [ -r /usr/local/etc/system_roles ] ; then
. /usr/local/etc/system_roles
fi
#################
#
# Figure out the FQDN of the system
#
#################
SYSTEM=$(hostname | nslookup 2> /dev/null | grep Name: | cut -c10-)
SENDER=${SysMgs}
export EXPIRE=2
LOCKED=0
SENDMSG=1
DISABLED=0
awk -F":" '{print $1}' /etc/passwd | xargs -n1 | while read USER
do
echo "$USER" | egrep -q "^smbnull$|^adm$|^bin$|^sys$|^daemon$|^uucp$|^lp$|^nuucp$|^hpdb$|^www$|^soeadm$"
[[ $? -eq 0 ]] && continue
################
#
# Find out the password expiry setting for the user
#
################
EXPTM=$(/usr/lbin/getprpw -l -r -m exptm $USER)
if [ -z "$EXPTM" ] ; then EXPTM=0 ; fi
case $EXPTM in
0|-1)
if [ "$EXPIRE" -gt "0" ] ; then
echo "password for user $USER has not expired"
fi
;;
*) if [ "$EXPIRE" != "1" ] ; then
EXPWARN=$(/usr/lbin/getprpw -l -r -m expwarn $USER)
SPWCHG=$(/usr/lbin/getprpw -l -r -m spwchg $USER)
LFTM=$(/usr/lbin/getprpw -l -r -m lftm $USER)
if [ "$SPWCHG" = "Thu Jan 1 01:00:00 1970" -a "$DISABLED" = "0" ] ; then
echo "user $user never loged in!"
continue
fi
if [ "$spwchg" = "-1" -a "$disabled" = "0" ] ; then
echo "user $user never loged in - date not defined"
continue
fi
last_set_day "$SPWCHG"
days_last_set=$COUNTDAYS
(( CALC_DATE = COUNTDAYS + $EXPTM ))
TODAY=$(date "+%c")
last_set_day "$TODAY"
DAYS_TODAY=$COUNTDAYS
(( EXP_DAYS = CALC_DATE - DAYS_TODAY ))
(( EXP_MSG = EXP_DAYS - EXPWARN ))
if [ "$EXP_DAYS" -ge "$LFTM" ] ; then
EXP_MSG="0"
EXP_DAYS=-1
fi
if [ "$EXP_MSG" -le "0" ] ; then
if [ "$EXP_DAYS" -lt "0" ] ; then
echo "Warning: password for user $user has expired!"
else
if [ "$disabled" = "0" ] ; then
echo "Warning: password for user $user expire in $exp_DAYs DAYs!"
fi
fi
if [ "$SENDMSG" = "1" ] ; then
(
echo "From: $Sender"
echo "Return-Path: <$Sender>"
echo "Subject: Account ${USERNAME}@${SYSTEM} expire in $EXP_DAYS Days!\n"
echo "Dear $USER\n"
echo "your password expire in $EXP_DAYS Days!"
echo "Please login to ${SYSTEM} to change the password. We recommend to use telnet.\n"
echo "Regards Unix Team"
) | sendmail $USER
fi
else
if [ "$DISABLED" = "0" ] ; then
echo "password for user $USER expire in $EXP_DAYS Days!"
fi
fi
fi
;;
esac
done
============================================
I will also watch out to see if any of our forum folks has a better way of achieving the goal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 12:32 PM
тАО09-14-2004 12:32 PM
Re: Password expiry details on trusted system
I was about to implement this script when ssh mania started in our company as openssh versions were not supporting password expiry. I still had to develop it further but we don't need it now anymore.
My idea was to
1. Create a file say /etc/expirytab every day night at 12:00 AM. It's a comma seperated file with user, date of the last password change, date of expiry and days left before password expiry.
2. Put a small script in /etc/profile and /etc/csh.login that does the following
a. Get the user.
b. Get "how many days before the password expires from now" from /etc/expirytab
c. Compare it against site 'notification policy' say 15. If it is less than the notification policy, then print a statement similar to standard notification message along with the other details like when the user changed the password, when the password will expire etc.,
If you want you can even add code into 'script1' to send mails to the users.
As you can see writing the script for 2 is very easy. So, I am not going to do it.
For getting the expiry information, here is the script. You may need to add some checks like if the user file is not there etc., etc. otherwise 'awk' will hang.
#!/usr/bin/ksh
EXPIRE=60
NOW=$(/usr/contrib/bin/perl -e 'printf "%d\n",time()')
if [ ! -d /tcb ]
then
echo "Only on trusted systems"
exit 1
fi
rm -f /etc/expiry.tab
for USER in $(logins|awk '{print $1}')
do
FIRST=`echo $USER|cut -c1`
USERFILE="/tcb/files/auth/${FIRST}/${USER}"
THEN=$(awk '/u_succhg/ {FS="u_succhg";print $2}' $USERFILE | awk '{FS=":";print $1}'|sed '
s/#//')
WHEN_CHANGED=$(echo 0d${THEN}=Y | adb)
(( EXPIRES_ON_DATE = $THEN + ( $EXPIRE * 86400 ) ))
(( EXPIRES_IN_DAYS = ( $EXPIRES_ON_DATE - $NOW ) / 86400 ))
EXPIRES_ON_DATE=$(echo 0d${EXPIRES_ON_DATE}=Y |adb)
echo "$USER,$WHEN_CHANGED,$EXPIRES_ON_DATE,$EXPIRES_IN_DAYS" >> /etc/expirytab
done
-Sri
PS: We compile our own openssh. The latest one 3.8.1p1 does do all kinds of password expiry stuff.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2004 04:41 AM
тАО09-15-2004 04:41 AM
Re: Password expiry details on trusted system
Cheers again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2005 03:01 AM
тАО11-02-2005 03:01 AM