topic Re: passwd question in Operating System - HP-UX

passwd question

Rasheed Tamton — Tue, 26 Oct 2004 08:25:36 GMT

I have a query from the mgmt reg. the passwd.

They need a faster answer and I do not have enough time to search the web/docs. Sorry for that.

Needs to know what are the possibilities for the below:

-One session (login) per user.
-More than 5 days & user id not used = Disable
-3 month & user id not use = Archive

The system currently is not trusted. I am more concerned with the one session per user request. Please advise.

Thanks
Rasheed.

Re: passwd question

Steven E. Protter — Tue, 26 Oct 2004 08:37:18 GMT

You can modify /etc/profile to deal with single session only.

user=$(whoami)
usersessions=$(who | grep $user)
if [ $usersessions -ge 1 ]
then
echo "Already logged in"
exit
else
echo "logging in"
fi

Note:

If you name a user the same name as a normally running process, this code will cause users to be unjustly prevented from acesssing the system.

run ps -ef and make note of any possible conflicts, adjust your code accordingly.

SEP

Re: passwd question

Geoff Wild — Tue, 26 Oct 2004 08:39:09 GMT

For one session, modify the /etc/profile:

user=`echo $LOGNAME`
user_count=`who | grep $user | wc -l`
if ( $user_count > 1 ) then
echo "You have exceeded the max number of logins allowed"
exit
fi

More then 5 days, you will have to parse with the last command - same for 3 months...

Rgd...Geoff

Re: passwd question

Steven E. Protter — Tue, 26 Oct 2004 08:43:46 GMT

Forgot to try and answer these questions.

-More than 5 days & user id not used = Disable
-3 month & user id not use = Archive

These options are very easy with trusted system. You could convert and then a few menu options in sam and you are done.

You could use the output of passwd -sa to write a custom script to do this though.

You might also need to match it against the output of the last command.

I would not delete users I would use the passwd -l command to lock the account. To actually delete the user is needless work for your operations department, or worse you, if you are stuck adding users.

SEP

Re: passwd question

Muthukumar_5 — Tue, 26 Oct 2004 08:57:04 GMT

We can control One Session (login) per user as,

/etc/profile

who | grep -q '$LOGNAME'
if [[ $? -eq 0 ]]
then

echo "$LOGNAME is already logged"
sleep 2
exit 1
fi

HTH.

Re: passwd question

Muthukumar_5 — Tue, 26 Oct 2004 09:36:27 GMT

We get use last successful login as,

last -1
It will give time and date informations there.

date +'%b %d' will give month date
last -1 | awk '{ print $4" "$5 }'
will give last successful login of a user

Using this time , make script to get day difference and lock the user as,

passwd -l

I did not get on this,
-3 month & user id not use = Archive
Archieve means? can you give details more on this.

HTH.

Re: passwd question

Rasheed Tamton — Wed, 27 Oct 2004 02:17:57 GMT

Hi Muthu,
I just inherited the exact words of the mgmt. Archiving means, user should be disabled (I guess!!!). Yep, it is just that.

Thanks.

Re: passwd question

Sridhar Bhaskarla — Wed, 27 Oct 2004 02:28:12 GMT

Hi Rasheed,

If this is a 11.0 system with latest patches or a 11i system, then you can configure /etc/default/security file with the following option

NUMBER_OF_LOGINS_ALLOWED 1

This will limit the number of login sessions to one. There are more options available also. Check 'man security' for more options.

Aging parameters are bit tricky on non-trusted systems. Look at 'man 4 passwd' command for more options on setting up the expiration. Look at the section that explains the scenario where m>M in the password encryption string after the qualifier ",".

-Sri

Re: passwd question

Sunil Sharma_1 — Wed, 27 Oct 2004 02:53:57 GMT

If you are using HPUX 11i or HP UX 11 with latest patch you can acheive it (One session per user) using /etc/default/security

These lines from man security

NUMBER_OF_LOGINS_ALLOWED
This parameter controls the number of simultaneous
logins allowed per user. This is applicable only for
non-root users.

NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are
allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N N number of logins are allowed per user.

Default value: NUMBER_OF_LOGINS_ALLOWED=0

If system is in trusted mode you can acheive More than 5 days & user id not used = Disable
use usemod command with -f option for this.

Sunil

Re: passwd question

Steve Post — Wed, 27 Oct 2004 07:48:47 GMT

If I were you, I would make a new forum thread about disabling accounts after 5 days.

I assume you would not have your system in a trusted mode. How would you do it by hand?
You can see people that logged in in the last X days by running the last command.

Then you would count the number of days between today and their last login. (look for date calc utility in the forums).

You could get the list of users in the last command for the last 5 days. And compare it to the list of actual users in the passwd file. The users that are in the passwd file, but not in the list of "lastusers" would need to be disabled. Also, you might have a set of users you never disable (system accounts). So now you have a list of users to disable.

You run vipw to edit the passwd file. To disable an account, put an asterisk in the password field of the user's account.

Now how would you do this automatically?
I would make a unix or perl script that runs at 1 am each night.
script part1: use sed,grep,last,awk, time-calc,date,sort, and uniq to get a list of users that logged in in the past 5 days. I'll call the list good_users.
script part2: make list of all users from the passwd file, remove system users from the list, remove already disabled users from the list. I'll call this list normal_users.
script part3: make a new list of accounts to disable: Userids in "normal_users" but not in "good_users." Call this new list evil_users.
script part4: For each userid in "evil_users", change the password for them to "*".

Now about 30 days? If the requirement is the same as the 5 day requirement, you really have nothing to do.
One last thing. What about users that have not logged in for the last 5 days, but they never logged off?
You might want to look for and script to kick out idle users.

steve

Re: passwd question

doug hosking — Wed, 27 Oct 2004 15:06:16 GMT

If using the NUMBER_OF_LOGINS_ALLOWED feature be sure to check patches PHCO_27694 and PHCO_27721. Also, if using the grep solution, beware of the problem of doing a grep for user 'root' while user 'rootuser' is logged in. You don't want false matches on a subset of the user name!

Re: passwd question

Rasheed Tamton — Sat, 30 Oct 2004 06:39:34 GMT

Thanks for the responses.