HPE Community
Operating System - HP-UX
1751883 Members
5442 Online
108783 Solutions
New Discussion

Re: Block user accounts

 
Arunabha Banerjee
Valued Contributor

‎09-07-2011 07:50 AM

‎09-07-2011 07:50 AM

Block user accounts

I need one urgent information. How to block user accounts who has not logged in to the server last 6 months in HP-UX 11i (on both Trusted and non-Trusted) system. I don't want to execute command manually (like passwd -l username). Please advise ...

AB
0 Kudos
Reply
3 REPLIES 3
Pete Randall
Outstanding Contributor

‎09-07-2011 09:03 AM

‎09-07-2011 09:03 AM

Re: Block user accounts

Describing your system as 11i leaves a range of options - like 11.11, 11.23, 11.31, and more.  I would suggest you look at man (4) security, particularly the inactivity_maxdays parameter.  In 11.11, at least, this parameter only applies to non-trusted systems.  If you have a more current release then your mileage may vary.


Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-07-2011 09:08 AM

‎09-07-2011 09:08 AM

Re: Block user accounts

Oops!  Glad I double checked.  The man page I looked at was for 11.31.

 

In the case of trusted systems, I would suggest that you take note of the fact that trusted systems are deprecated as of 11.31 and you should probably be looking into the shadow password feature instead.


Pete
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎09-07-2011 09:21 AM

‎09-07-2011 09:21 AM

Re: Block user accounts

Hi:

 

Pete's comments (including the deprecation of Trusted Systems) are the same ones I would make.  I too would establish (at least where you can), the 'INACTIVITY_MAXDAYS' in '/etc/default/security'.

 

In order to "clean up" users without recent activity, consider running 'last' and parsing out a list of users who haven't logged in or are absent from the underlying '/var/adm/wtmp' file which would mean that they have never logged in during the file's coverage period.  You might find that converting '/var/adm/wtmp' to its ASCII counterpart, which exposes Epoch dates, more useful:

 

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp

 

Once you enumerate the users who haven't looged-in recently, a simple script to lock those accounts should be something any sysadmin could write.

 

Regards!

 

...JRF...

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.