topic Re: fields in TCB in Operating System - HP-UX

fields in TCB

Mark Harshman_1 — Thu, 20 Oct 2005 14:20:13 GMT

is there a field under a user-id, under /tcb/files/auth/letter/name that indicate that user-id is currently disabled? Trying to find a quick way to see what users on my system (HPUX 11.i) are in a disabled state. thanks

Re: fields in TCB

Denver Osborn — Thu, 20 Oct 2005 14:32:03 GMT

the man page for getprpw contains the info you'll need. I don't have a trusted system to check my syntax, but looks like '/usr/lbin/getprpw -m lockout username' is what you'd want to use in your script. Compare the output of what lockout returns to the entry you see in the /tcb/auth/letter/username file.

The values for lockout are explained in the man page... basically anything other tan all zero's means the account is disabled.

examples...
0000010 means admin lock
0001000 means too many failed attempts

hope this helps,
-denver

Re: fields in TCB

Ranjith_5 — Thu, 20 Oct 2005 14:42:27 GMT

Hi,

You may write a script to get the required info.

see the lockout=0000000 part from the /usr/lbin/getprpw output. If the lockout value is 0000000 then the account is enabled. All the other conditions shows a kind of lockouts.

here are some inputs to make the script.

get the user list in to a tmp file by

cat /etc/passwd | cut -d: -f1 > /tmp/userlist

read the users one by one form this file and check the lockout status and the ouput of the same can be stored in a file along with the username.

Now do a

grep -v 0000000 < file name >

to find out the locked users in the system.

Regards,
Syam

Re: fields in TCB

Andy Torres — Thu, 20 Oct 2005 14:46:37 GMT

getprpw on my "andyt" login:

# /usr/lbin/getprpw -m lockout andyt
lockout=0000000

From the man page of getprpw:

"lockout=#######" returns the reason for a lockout in a "bit" valued
string, where 0 = condition not present, 1 is
present. The position, left to right represents:

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *

Throw all that into a script and you'll be able to cull all the locked out users.

Re: fields in TCB

Mark Harshman_1 — Thu, 20 Oct 2005 15:50:31 GMT

thanks to all..useful info.

Re: fields in TCB

Mel Burslan — Thu, 20 Oct 2005 15:53:33 GMT

as far as I know, there is no visual way of telling who is locked and who is not but the following code snippet can help you.

for ID in `cat /etc/passwd | cut -d: -f1`
do
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?
case "$RC" in
0 ) case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac
done

hope this helps...

Re: fields in TCB

Mark Harshman_1 — Fri, 21 Oct 2005 09:48:09 GMT

Mel, thanks for the script. If you get this msg, its not quite workin as written. Getting a msg that the "done" statement is not expected. Any help would be appreciated. thanks

Re: fields in TCB

Hanwant Verma_1 — Fri, 21 Oct 2005 10:00:15 GMT

Use this script.. this will help you a lot

Hanwant

Re: fields in TCB

Mel Burslan — Fri, 21 Oct 2005 10:08:48 GMT

Sorry,
I was too hasty to quickly cut'N'paste the code snippet from my utility collection. This code is actually a part of a multi OS trusted system handling code, i.e., spaghetti code.

I have tested the following code on one of my systems and it is working for me right now. Hope it works for you too.

for ID in `cat /etc/passwd | cut -d: -f1`
do
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?

if [ $RC -eq 0 ]
then

case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac

else

echo "There is a problem running getprpw command."; exit 11

fi
done