topic Re: Password expiry details on trusted system in Operating System - HP-UX

Password expiry details on trusted system

Daniel Neeves — Tue, 14 Sep 2004 11:32:30 GMT

Our environment is as follows; hpux 11i with F-secure ssh 3.3.0 , The issue is we do not get informed of any password expiry warnings when logging on using an ssh client be it windows or unix. As I understand it these message are not available unless we use HP's Openssh which at present is not an option. What we need is how to get details on when a users password is going to expire, then we can script it to give us a nice mail every day informing us something along the lines of "root users password expires DDMMYYYY". I've seen other thread's on here about the same subject but I couldn't find an answer that worked, Any ideas people ??

Re: Password expiry details on trusted system

Sanjay_6 — Tue, 14 Sep 2004 11:42:56 GMT

Hi,

Take a look at this thread from itrc. There is a neat script that notifies the expiration date for all the ids on the server .

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000074740865

The itrc doc id is USECKBAN00000934.

Hope this helps.

Regds

Re: Password expiry details on trusted system

Sundar_7 — Tue, 14 Sep 2004 11:44:28 GMT

I happened to work on a very similar requirement.

Find below the draft version of the script.

NOTE: The script is NOT tested at all. Might even have some blunders :-). You can just use this as a "base" and take it from there.

============================================function last_set_DAY
{
LSPWCHG=$1

THISYEAR=$(date "+%Y")

MONTH=$(echo $LSPWCHG | cut -d" " -f2 )
DAY=$(echo $LSPWCHG | cut -d" " -f3 )
YEAR=$(echo $LSPWCHG | cut -d" " -f5 )

# calculate number of days in the pw change year
#
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
JULIEAP=1 #SET DAY OF YR
else
JULIEAP=0
fi

case $MONTH in
Jan) MMOUNT=0;;
Feb) MMOUNT=31;;
Mar) (( MMOUNT = 59 + JULIEAP ));;
Apr) (( MMOUNT = 90 + JULIEAP ));;
May) (( MMOUNT = 120 + JULIEAP ));;
Jun) (( MMOUNT = 151 + JULIEAP ));;
Jul) (( MMOUNT = 181 + JULIEAP ));;
Aug) (( MMOUNT = 212 + JULIEAP ));;
Sep) (( MMOUNT = 243 + JULIEAP ));;
Oct) (( MMOUNT = 273 + JULIEAP ));;
Nov) (( MMOUNT = 304 + JULIEAP ));;
Dec) (( MMOUNT = 334 + JULIEAP ));;
esac

(( COUNTMONTH = MMOUNT + $DAY ))

# add number of DAY up to this YEAR
#
COUNTDAYS=0
while (( YEAR < THISYEAR ))
do
(( COUNTDAYS = COUNTDAYS + 365 ))
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
(( COUNTDAYS = COUNTDAYS + 1 ))
fi
(( YEAR = YEAR + 1))
done

(( COUNTDAYS = COUNTDAYS + $COUNTMONTH ))
}

#################
#
# Main
#
#################

if [ -r /usr/local/etc/system_roles ] ; then
. /usr/local/etc/system_roles
fi

#################
#
# Figure out the FQDN of the system
#
#################

SYSTEM=$(hostname | nslookup 2> /dev/null | grep Name: | cut -c10-)
SENDER=${SysMgs}

export EXPIRE=2
LOCKED=0
SENDMSG=1
DISABLED=0

awk -F":" '{print $1}' /etc/passwd | xargs -n1 | while read USER
do

echo "$USER" | egrep -q "^smbnull$|^adm$|^bin$|^sys$|^daemon$|^uucp$|^lp$|^nuucp$|^hpdb$|^www$|^soeadm$"

[[ $? -eq 0 ]] && continue

################
#
# Find out the password expiry setting for the user
#
################

EXPTM=$(/usr/lbin/getprpw -l -r -m exptm $USER)
if [ -z "$EXPTM" ] ; then EXPTM=0 ; fi

case $EXPTM in
0|-1)
if [ "$EXPIRE" -gt "0" ] ; then
echo "password for user $USER has not expired"
fi
;;
*) if [ "$EXPIRE" != "1" ] ; then
EXPWARN=$(/usr/lbin/getprpw -l -r -m expwarn $USER)
SPWCHG=$(/usr/lbin/getprpw -l -r -m spwchg $USER)
LFTM=$(/usr/lbin/getprpw -l -r -m lftm $USER)

if [ "$SPWCHG" = "Thu Jan 1 01:00:00 1970" -a "$DISABLED" = "0" ] ; then
echo "user $user never loged in!"
continue
fi
if [ "$spwchg" = "-1" -a "$disabled" = "0" ] ; then
echo "user $user never loged in - date not defined"
continue
fi

last_set_day "$SPWCHG"
days_last_set=$COUNTDAYS
(( CALC_DATE = COUNTDAYS + $EXPTM ))

TODAY=$(date "+%c")
last_set_day "$TODAY"
DAYS_TODAY=$COUNTDAYS

(( EXP_DAYS = CALC_DATE - DAYS_TODAY ))
(( EXP_MSG = EXP_DAYS - EXPWARN ))

if [ "$EXP_DAYS" -ge "$LFTM" ] ; then
EXP_MSG="0"
EXP_DAYS=-1
fi
if [ "$EXP_MSG" -le "0" ] ; then
if [ "$EXP_DAYS" -lt "0" ] ; then
echo "Warning: password for user $user has expired!"
else
if [ "$disabled" = "0" ] ; then
echo "Warning: password for user $user expire in $exp_DAYs DAYs!"
fi
fi
if [ "$SENDMSG" = "1" ] ; then
(
echo "From: $Sender"
echo "Return-Path: <$Sender>"
echo "Subject: Account ${USERNAME}@${SYSTEM} expire in $EXP_DAYS Days!\n"
echo "Dear $USER\n"
echo "your password expire in $EXP_DAYS Days!"
echo "Please login to ${SYSTEM} to change the password. We recommend to use telnet.\n"
echo "Regards Unix Team"
) | sendmail $USER
fi
else
if [ "$DISABLED" = "0" ] ; then
echo "password for user $USER expire in $EXP_DAYS Days!"
fi
fi

fi
;;
esac

done
============================================

I will also watch out to see if any of our forum folks has a better way of achieving the goal.

Re: Password expiry details on trusted system

Sridhar Bhaskarla — Tue, 14 Sep 2004 19:32:40 GMT

HI Daniel,

I was about to implement this script when ssh mania started in our company as openssh versions were not supporting password expiry. I still had to develop it further but we don't need it now anymore.

My idea was to

1. Create a file say /etc/expirytab every day night at 12:00 AM. It's a comma seperated file with user, date of the last password change, date of expiry and days left before password expiry.

2. Put a small script in /etc/profile and /etc/csh.login that does the following

a. Get the user.
b. Get "how many days before the password expires from now" from /etc/expirytab
c. Compare it against site 'notification policy' say 15. If it is less than the notification policy, then print a statement similar to standard notification message along with the other details like when the user changed the password, when the password will expire etc.,

If you want you can even add code into 'script1' to send mails to the users.

As you can see writing the script for 2 is very easy. So, I am not going to do it.

For getting the expiry information, here is the script. You may need to add some checks like if the user file is not there etc., etc. otherwise 'awk' will hang.

#!/usr/bin/ksh

EXPIRE=60
NOW=$(/usr/contrib/bin/perl -e 'printf "%d\n",time()')

if [ ! -d /tcb ]
then
echo "Only on trusted systems"
exit 1
fi

rm -f /etc/expiry.tab

for USER in $(logins|awk '{print $1}')
do
FIRST=`echo $USER|cut -c1`
USERFILE="/tcb/files/auth/${FIRST}/${USER}"
THEN=$(awk '/u_succhg/ {FS="u_succhg";print $2}' $USERFILE | awk '{FS=":";print $1}'|sed '
s/#//')
WHEN_CHANGED=$(echo 0d${THEN}=Y | adb)

(( EXPIRES_ON_DATE = $THEN + ( $EXPIRE * 86400 ) ))
(( EXPIRES_IN_DAYS = ( $EXPIRES_ON_DATE - $NOW ) / 86400 ))

EXPIRES_ON_DATE=$(echo 0d${EXPIRES_ON_DATE}=Y |adb)

echo "$USER,$WHEN_CHANGED,$EXPIRES_ON_DATE,$EXPIRES_IN_DAYS" >> /etc/expirytab
done

-Sri
PS: We compile our own openssh. The latest one 3.8.1p1 does do all kinds of password expiry stuff.

Re: Password expiry details on trusted system

Daniel Neeves — Wed, 15 Sep 2004 11:41:34 GMT

Cheers for your help guys all good suggestions, I've used the doc sanjay pointed me too and tailored it a bit.

Cheers again

Re: Password expiry details on trusted system

Daniel Neeves — Wed, 02 Nov 2005 11:01:12 GMT

Cheers