topic Re: passwd -a -s in Operating System - HP-UX

passwd -a -s

Tim Downs — Tue, 03 Jan 2006 16:27:53 GMT

We use the above command in a perl script to send emails to users that their password is going to expire. The problem we are having is that when the command is run some of the users information is not populated by the passwd command -(examples below -small sample user gmm1018 is how they should all look)

gmm1018 PS 12/28/05 0 90 14
txp0329 PS
pjg0917 PS
abc0128 PS
txy1213 PS

The users txpo0329 and below will never receive and email because those other fields are not populated. I have checked all the security setups for each user and they are identical. I also have PHCO_24189 installed.

We are on HP-UX lawson B.11.00 U 9000/800

Re: passwd -a -s

Victor Fridyev — Tue, 03 Jan 2006 16:42:53 GMT

Hi,

You have to create for each user in his home directory file called .forward and put into it the user's mail address, e.g for txp0329: tim_downs@downs.com
In this case mail sent to txp will be redirected to Tim.

HTH

Re: passwd -a -s

James R. Ferguson — Tue, 03 Jan 2006 16:47:03 GMT

Hi Tim:

This behavior is expected. If there is isn't any aging information, then only the name and status are returned. This is better documented in the 11i manpages:

http://docs.hp.com/en/B2355-60127/passwd.1.html

Regards!

...JRF...

Re: passwd -a -s

Tim Downs — Wed, 04 Jan 2006 10:24:20 GMT

We do have aging information on these users because their passwords are expiring every 90 days just like everyone else. It appears to happen to the newest users that have been setup on the system (within the last 2 years). We also have this setup as a trusted system.

Re: passwd -a -s

Ralph Grothe — Wed, 04 Jan 2006 12:43:55 GMT

Hi Tom,

the way HP-UX is storing password aging information is a bit brain damaged,
as compared to other Unices.
(e.g. Solaris and Linux place that in /etc/shadow)

To play with I temporarily assigned this account's passwd

$ grep saz /etc/passwd
saz:eM6Z04PZmIo6c,/.KR:102:20:SAZ login:/home/saz:/sbin/sh

As you can see, the aging info is stored within the passwd field in a string directly following a comma.
Placing it there is really bizarre.

This would translate to

$ passwd -s saz
saz PS 12/29/05 0 7

Actually, since you already are using a Perl script, why not let Perl retreive the data by its built-in mappings of the standard syscalls?

You can get displayed (via Config.pm) what your Perl built actually supports,
as far as passwords are concerned.

$ perl -V:d_pw.+
d_pwage='define'
d_pwchange='undef'
d_pwclass='undef'
d_pwcomment='define'
d_pwexpire='undef'
d_pwgecos='define'
d_pwpasswd='define'
d_pwquota='undef'

Ah, that's a shame.
On HP-UX we don't get the passwd expiration,
but pwage is defined.

You need to look at "perldoc -f getpwent"
to see what lists are returned.

$ perl -e 'print join("\n",getpwnam("saz"),"")'
saz
eM6Z04PZmIo6c
102
20
/.KR
SAZ login
SAZ login
/home/saz
/sbin/sh

That's really oblique.
My Perl build returns the aging string as 5th list element which ought to be the gecos field according to the POD.

But now you only need to map the "encoding"
(which is some sort of Base64 according to "man 4 passwd")

So you could probably do something like this
(sorry webserver flattens the indentations)

my (@agers, %map_age);

{ my $i=0;
%map_age = map { $_ => $i++ } (qw[. /], 0..9, 'A'..'Z', 'a'..'z');
}
while (my @rec = getpwent) {
push @agers, [@rec[0,4]] if $rec[4];
}

foreach my $ager (@agers) {
my ($max_weeks, $min_weeks) =
map{$map_age{$_}} split(//, substr($ager->[1], 0, 2));
if ($max_weeks <= 1) {
my $user_to_mail = $ager->[0];
#
# implement emission of mail here
}
}

Re: passwd -a -s

Tim Downs — Thu, 05 Jan 2006 13:41:49 GMT

I have this figured out. We have a trusted system and when you pick the password aging on a user and pick Default(Enabled) it fills in our default values. The problem is the information in the users password file is incomple(/tcb/files/auth/). The u_minchg, u_exp, u_pw_expire_warning, u_life are not populated. If I change the password aging to Enable and fill in the info then the information is populated. I guess I don't understand that when you take the option of Default(Enabled) and the policies work it doesn't populate the fields until you manually type the information in and pick Enable.