HPE Community
Operating System - HP-UX
1826657 Members
2595 Online
109695 Solutions
New Discussion

Any command to identify disabled unixids

 
SOLVED
Go to solution
S.Rider
Regular Advisor

‎10-21-2005 09:41 AM

‎10-21-2005 09:41 AM

Any command to identify disabled unixids

Every month, when we auto-change passwords on some unixids, we get a bunch of unixids disabled because of too many invalid password attempts.
Is there a unixid command I can issue to list the disabled unixids.
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
5 REPLIES 5
Mel Burslan
Honored Contributor

‎10-21-2005 10:33 AM

‎10-21-2005 10:33 AM

Solution

Re: Any command to identify disabled unixids

I just provided this following snippet of code to another similar request. Hope it helps you too:

for ID in `cat /etc/passwd | cut -d: -f1`
do
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?

if [ $RC -eq 0 ]
then

case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac

else

echo "There is a problem running getprpw command."; exit 11

fi
done
________________________________
UNIX because I majored in cryptology...
Reply
S.Rider
Regular Advisor

‎10-24-2005 07:06 AM

‎10-24-2005 07:06 AM

Re: Any command to identify disabled unixids

Thanks Mel, that works great for my trusted systems. Unfortuneatly, I have a bunch of un-trusted ones. I can use the "passwd -s root" command for them.
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
Rick Garland
Honored Contributor

‎10-24-2005 08:00 AM

‎10-24-2005 08:00 AM

Re: Any command to identify disabled unixids

There are many options to the /usr/sbin/logins command

You may be most interested in the 'logins -x'

Display extended information about selected users. This extended
information includes home directory, login shell and password
aging data, each on its own line. Password information consists
of password status (PS for valid password, LK for locked and NP
for no password) and, if a password is present, date of last
change, required number of days between changes, and number of
days allowed between changes. In the case of non-trusted
systems, the date of last change will be the latest Thursday
since the change.

0 Kudos
Reply
Mel Burslan
Honored Contributor

‎10-24-2005 09:08 AM

‎10-24-2005 09:08 AM

Re: Any command to identify disabled unixids

Sorry, that was my assumption that you are running in a trusted environment only. For the untrusted:

for ID in `cat /etc/passwd | cut -d: -f1`
do

logins -x -l ${ID}|grep -q LK
r=$?
if [ $r -eq 0 ]
then
echo "Account ${ID} is LOCKED"
else
echo "Account ${ID} is NOT locked"
fi

done

HTH
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
S.Rider
Regular Advisor

‎10-28-2005 05:33 AM

‎10-28-2005 05:33 AM

Re: Any command to identify disabled unixids

All of the above work fine if you're logged on a system, but what I was really looking for turned out to more difficult or easier depending on how you look at it.
We have a sysadmin server that all the other unix servers trust. We have a script on the sysadmin server that does a remsh/ssh to all the other servers to gather information. For example "SYSinfo.sh cpb" will list the latest Customized-Patch-Bundle on all the servers. "SYSinfo.sh bdfopt" will give a bdf of /opt for everyone. we wanted a command to check if the root id was locked on any servers, which happens every month when the root pw is changed.
The difficulty arose because you can't use remsh/ssh to run a command on a server where root is locked/disabled.
The easy solution was to just do a "remsh/ssh date" to all the servers. Check &2 for the command, if it's "Account is disabled or expired", email the SysAdmins telling them to get on the gsp-console and unlock root.
I keep thinking there's a more elegant solution but this is working for us.
But I'm taking some of the above suggestions for another script to run on each server and list all the user accounts which are locked.
Thanks all for the help/ideas/suggestions.
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.