#!/usr/bin/sh # check_password_expiry.sh # This script is run by root to check which users should be receiving a warning # message about pending expiry of their password. Although the system does # display this warning message it is easy to miss because it is displayed in # the first few lines of information login time along with a lot of other # information. # Find out the current time (in seconds). TIME_NOW=`/opt/perl/bin/perl -e 'print time'` # Read in the default password expiry and password warning values from the # system defaults file. PARAMS=`mktemp` DEFAULTS_FILE=/tcb/files/auth/system/default cat $DEFAULTS_FILE | sed 's/:\\//g' | tr -d "\011" | tr -d "\012" | awk \ '{ list = split($1,field,":") for (i = 1; i <= list; ++i) { if (index(field[i],"u_pw_expire_warning#") == 1) print field[i] if (index(field[i],"u_exp#") == 1) print field[i] } }' > $PARAMS DEFAULT_EXPIRE_WARNING=`grep ^u_pw_expire_warning# $PARAMS | cut -d"#" -f2` DEFAULT_EXPIRE_TIME=`grep ^u_exp# $PARAMS | cut -d"#" -f2` # For each user who has a home directory under /home (and root) ... for USER in `grep :/home/ /etc/passwd | cut -d: -f1 | sort` root do # Make sure the user has a home directory on this server. HOME=`grep -w $USER /etc/passwd | cut -d: -f6` if [ ! -d $HOME ] then continue fi # Make sure we don't have any old stuff hanging around. USER_MOTD=$HOME/.motd USER_MOTD_EXPIRE=/$HOME/.motd_expire rm -f $USER_MOTD $USER_MOTD_EXPIRE # Read in the password expiry, password warning and last password change # values for the each user from their system auth file. LAST_PSWD_CHANGE="" CHAR=`echo $USER | cut -c1` FILE=/tcb/files/auth/$CHAR/$USER if [ -f $FILE ] then cat $FILE | sed 's/:\\//g' | tr -d "\011" | tr -d "\012" | awk \ '{ list = split($1,field,":") for (i = 1; i <= list; ++i) { if (index(field[i],"u_succhg#") == 1) print field[i] if (index(field[i],"u_pw_expire_warning#") == 1) print field[i] if (index(field[i],"u_exp#") == 1) print field[i] } }' > $PARAMS LAST_PSWD_CHANGE=`grep ^u_succhg# $PARAMS | cut -d"#" -f2` USER_EXPIRE_WARNING=`grep ^u_pw_expire_warning# $PARAMS | cut -d"#" -f2` USER_EXPIRE_TIME=`grep ^u_exp# $PARAMS | cut -d"#" -f2` # If this user's password is set to never expire don't continue # processing this user ... if [ "$USER_EXPIRE_TIME" = "0" ] then continue fi fi if [ "$LAST_PSWD_CHANGE" != "" ] then # Find out which expiry warning and time values should be used for # this user. if [ "$USER_EXPIRE_WARNING" = "" ] then EXPIRE_WARNING=$DEFAULT_EXPIRE_WARNING else EXPIRE_WARNING=$USER_EXPIRE_WARNING fi if [ "$USER_EXPIRE_TIME" = "" ] then EXPIRE_TIME=$DEFAULT_EXPIRE_TIME else EXPIRE_TIME=$USER_EXPIRE_TIME fi # Calculate the password expiry and warning times (in seconds). let PSWD_EXPIRE=$LAST_PSWD_CHANGE+$EXPIRE_TIME let WARN_TIME=$PSWD_EXPIRE-$EXPIRE_WARNING # If the user should be receiving a warning about changing their # password create a personal MOTD file for them (this will be # displayed by /etc/profile when they login). if [ $TIME_NOW -ge $WARN_TIME ] && [ $TIME_NOW -lt $PSWD_EXPIRE ] then # Calculate the number of days in which the password will expire. NUM=$((($PSWD_EXPIRE-$TIME_NOW)/86400)) if [ $NUM -eq 0 ] then MOTD_MSG="Your password will expire TODAY!!" elif [ $NUM -eq 1 ] then MOTD_MSG="Your password will expire TOMORROw!!" else MOTD_MSG="Your password will expire in $NUM day(s)." fi echo "\n\n$MOTD_MSG\n\n" > $USER_MOTD # Put the password expiry time into a file that /etc/profile can # read when the user logs on so that, if the user's password has # already expired, the warning message will be deleted. This is # done so that the user doesn't receive the warning message just # after they have changed their password. echo $PSWD_EXPIRE > $USER_MOTD_EXPIRE # Make the user the owner of the MOTD files so that /etc/profile # can read then when they logon. chown $USER $USER_MOTD $USER_MOTD_EXPIRE fi fi done # Delete the temporary file we created just in case the system doesn't. rm $PARAMS