System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Notification of expiring password?

SOLVED
Go to solution
Jason Martens
Frequent Advisor

Notification of expiring password?

I have a problem on several servers. When the password expires, some cron jobs with rsh commands to that server fail until I log in and change the password. Is there some way to have the system notify us (perhaps via e-mail) when it is time to change the password? Our current policy expires passwords after 90 days. I thought about some kind of cron job, but it's difficult to make it run every 90 days exactly.

Thanks,
Jason
Never swap out a tape drive at 3 AM!!!
10 REPLIES
R. Sri Ram Kishore_1
Respected Contributor

Re: Notification of expiring password?

Hi Jason,

Check these links:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=9100
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=352726

HTH.

Regards,
Sri Ram
"What goes up must come down. Ask any system administrator."
G. Vrijhoeven
Honored Contributor

Re: Notification of expiring password?

HI Jason,

May be the logins command could help you

Regards,

Gideon
RAC_1
Honored Contributor

Re: Notification of expiring password?

In trusted systems it is easy. You just need to check account life time and expwarn setting. Compare it and if less then certain days email you about it.

In trusted system, you will have to do passwd -s "user_name", get his expire date, compare it against todays date and if days are eqal to or less then certain days email you. You would require a utility(by A Clay) data hammer for this.

Anil
There is no substitute to HARDWORK
Sundar_7
Honored Contributor

Re: Notification of expiring password?

Use this script as "base" and take it from there

============================================
#!/usr/bin/sh

function last_set_day
{
LSPWCHG=$1

THISYEAR=$(date "+%Y")

MONTH=$(echo $LSPWCHG | cut -d" " -f2 )
DAY=$(echo $LSPWCHG | cut -d" " -f3 )
YEAR=$(echo $LSPWCHG | cut -d" " -f5 )

# calculate number of days in the pw change year
#
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
JULIEAP=1 #SET DAY OF YR
else
JULIEAP=0
fi

case $MONTH in
Jan) MMOUNT=0;;
Feb) MMOUNT=31;;
Mar) (( MMOUNT = 59 + JULIEAP ));;
Apr) (( MMOUNT = 90 + JULIEAP ));;
May) (( MMOUNT = 120 + JULIEAP ));;
Jun) (( MMOUNT = 151 + JULIEAP ));;
Jul) (( MMOUNT = 181 + JULIEAP ));;
Aug) (( MMOUNT = 212 + JULIEAP ));;
Sep) (( MMOUNT = 243 + JULIEAP ));;
Oct) (( MMOUNT = 273 + JULIEAP ));;
Nov) (( MMOUNT = 304 + JULIEAP ));;
Dec) (( MMOUNT = 334 + JULIEAP ));;
esac

(( COUNTMONTH = MMOUNT + $DAY ))

# add number of DAY up to this YEAR
#
COUNTDAYS=0
while (( YEAR < THISYEAR ))
do
(( COUNTDAYS = COUNTDAYS + 365 ))
if (( YEAR % 4 == 0 )) #IS THIS A LEAP YEAR?
then
(( COUNTDAYS = COUNTDAYS + 1 ))
fi
(( YEAR = YEAR + 1))
done

(( COUNTDAYS = COUNTDAYS + $COUNTMONTH ))
}


#################
#
# Main
#
#################


#################
#
# Figure out the FQDN of the system
#
#################

EXPIRE=0
LOCKED=0
SENDMSG=1
DISABLED=0

awk -F":" '{print $1}' /etc/passwd | xargs -n1 | while read USER
do

echo "$USER" | egrep -q "^smbnull$|^adm$|^bin$|^sys$|^daemon$|^uucp$|^lp$|^nuucp$|^hpdb$|^www$|^soeadm$"

[[ $? -eq 0 ]] && continue

################
#
# Find out the password expiry setting for the user
#
################

EXPTM=$(/usr/lbin/getprpw -l -r -m exptm $USER)
if [ -z "$EXPTM" ] ; then EXPTM=0 ; fi

case $EXPTM in
0|-1)
if [ "$EXPIRE" -gt "0" ] ; then
echo "password for user $USER has not expired"
fi
;;
*) if [ "$EXPIRE" != "1" ] ; then
EXPWARN=$(/usr/lbin/getprpw -l -r -m expwarn $USER)
SPWCHG=$(/usr/lbin/getprpw -l -r -m spwchg $USER)
LFTM=$(/usr/lbin/getprpw -l -r -m lftm $USER)

if [ "$SPWCHG" = "Thu Jan 1 01:00:00 1970" -a "$DISABLED" = "0" ] ; then
echo "user $user never loged in!"
continue
fi

if [ "$spwchg" = "-1" -a "$disabled" = "0" ] ; then
echo "user $user never loged in - date not defined"
continue
fi

last_set_day "$SPWCHG"
days_last_set=$COUNTDAYS
(( CALC_DATE = COUNTDAYS + $EXPTM ))

TODAY=$(date "+%c")
last_set_day "$TODAY"
DAYS_TODAY=$COUNTDAYS

(( EXP_DAYS = CALC_DATE - DAYS_TODAY ))
(( EXP_MSG = EXP_DAYS - EXPWARN ))

if [ "$EXP_DAYS" -ge "$LFTM" ] ; then
EXP_MSG="0"
EXP_DAYS=-1
fi

if [ "$EXP_MSG" -le "0" ] ; then
if [ "$EXP_DAYS" -lt "0" ] ; then
echo "Password for user $USER has expired!"
else
if [ "$DISABLED" = "0" -a $EXP_DAYS -le $EXP_WARN ]
then
echo "Password for user $USER expire in $EXP_DAYS days!"
fi
fi
else
echo "Account ${USER} expire in $EXP_DAYS Days!"
fi
else
if [ "$DISABLED" = "0" ] ; then
echo "password for user $USER expire in $EXP_DAYS Days!"
fi
fi
;;
esac

done
============================================
Learn What to do ,How to do and more importantly When to do ?
Sanjay_6
Honored Contributor
Solution

Re: Notification of expiring password?

Hi,

You can also try this link from itrc,

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-1335382922+1095278623549+28353475&docId=200000074740865

The itrc doc id is USECKBAN00000934.

Hope this helps.

Regds
Sridhar Bhaskarla
Honored Contributor

Re: Notification of expiring password?

Hi Jason,

My version of it. It's a very simple script and you can easily tailor it to your needs.
Basically this is the approach.

1. Create a file say /etc/expirytab every day night at 12:00 AM. It's a comma seperated file with user, date of the last password change, date of expiry and days left before password expiry. See below for the script to do it for you.

2. Put a small script in /etc/profile and /etc/csh.login that does the following

a. Get the user.
b. Get "how many days before the password expires from now" from /etc/expirytab
c. Compare it against site 'notification policy' say 15. If it is less than the notification policy, then print a statement similar to standard notification message along with the other details like when the user changed the password, when the password will expire etc.,

If you want you can even add code into 'script1' to send mails to the users and skip step2.

For getting the expiry information, here is the script. You may need to add some checks like if the user file is not there etc., etc. otherwise 'awk' will hang.

--start of the script --

#!/usr/bin/ksh

EXPIRE=60
NOW=$(/usr/contrib/bin/perl -e 'printf "%d\n",time()')

if [ ! -d /tcb ]
then
echo "Only on trusted systems"
exit 1
fi

rm -f /etc/expiry.tab


for USER in $(logins|awk '{print $1}')
do
FIRST=$(echo $USER|cut -c1)
USERFILE="/tcb/files/auth/${FIRST}/${USER}"
THEN=$(awk '/u_succhg/ {FS="u_succhg";print $2}' $USERFILE | awk '{FS=":";print $1}'|sed '
s/#//')
WHEN_CHANGED=$(echo 0d${THEN}=Y | adb)

(( EXPIRES_ON_DATE = $THEN + ( $EXPIRE * 86400 ) ))
(( EXPIRES_IN_DAYS = ( $EXPIRES_ON_DATE - $NOW ) / 86400 ))

EXPIRES_ON_DATE=$(echo 0d${EXPIRES_ON_DATE}=Y |adb)


echo "$USER,$WHEN_CHANGED,$EXPIRES_ON_DATE,$EXPIRES_IN_DAYS" >> /etc/expirytab
done

---end of the script---

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Jason Martens
Frequent Advisor

Re: Notification of expiring password?

Thanks all for your quick and helpful replies. I ended up using Sanjay's solution (or rather, the solution he linked to).
Never swap out a tape drive at 3 AM!!!
Henrik Rasmussen
Occasional Advisor

Re: Notification of expiring password?

Hello

 

I may have overlooked something in the many many forum posts I have been looking through, but using getprpw on a trusted system seems to be usable only if password expiry has been set per user. When using getprpw with a system wide password aging policy set, but not per user password aging set, getprpw shows an exptm value of -1. Using passwd -sa is only usable on non-trusted systems.

 

The global password was set in the file /tcb/files/auth/system/default by using SAM, but getprpw does display per-user password expiration time. Neither does the user's /tcb/files/auth/u/user file, since it does not contain

any u_exp when per user password aging is not set.

 

What command do I use, or how do I calculate the password expiry date on a trusted system (HP-UX 11.11) with a global password expiration value set, considering both password aging, password lifetime and any other values that may influence password aging?

 

Henrik

jaganadhan
Occasional Advisor

Re: Notification of expiring password?

hi ,

 

i trid this command.

 

passwd -s support

 

output which i got ,

 

support PS

 

what is PS .? can any one explain.

 

 

 

Regards,
Jagan
Matti_Kurkela
Honored Contributor

Re: Notification of expiring password?

From the output of "man passwd" command:

-s name

    Display some password attributes associated with the specified name. Superuser privilege is required if the files repository is specified.

    The format of the display will be:

    name status mm/dd/yy min max warn

    or, if password aging information is not present

    name status

    where status means: PS =passworded; LK =locked; and NP =no password.

 

In other words, the output means that the user account named "support" currently has a password and is not locked.

There is no password aging information, so this password is *not* going to expire.

MK