HPE Community
Operating System - HP-UX
1833959 Members
2064 Online
110063 Solutions
New Discussion

fields in TCB

 
SOLVED
Go to solution
Mark Harshman_1
Regular Advisor

‎10-20-2005 07:20 AM

‎10-20-2005 07:20 AM

fields in TCB

is there a field under a user-id, under /tcb/files/auth/letter/name that indicate that user-id is currently disabled? Trying to find a quick way to see what users on my system (HPUX 11.i) are in a disabled state. thanks
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
8 REPLIES 8
Denver Osborn
Honored Contributor

‎10-20-2005 07:32 AM

‎10-20-2005 07:32 AM

Solution

Re: fields in TCB

the man page for getprpw contains the info you'll need. I don't have a trusted system to check my syntax, but looks like '/usr/lbin/getprpw -m lockout username' is what you'd want to use in your script. Compare the output of what lockout returns to the entry you see in the /tcb/auth/letter/username file.

The values for lockout are explained in the man page... basically anything other tan all zero's means the account is disabled.

examples...
0000010 means admin lock
0001000 means too many failed attempts

hope this helps,
-denver
Reply
Ranjith_5
Honored Contributor

‎10-20-2005 07:42 AM

‎10-20-2005 07:42 AM

Re: fields in TCB

Hi,

You may write a script to get the required info.

see the lockout=0000000 part from the /usr/lbin/getprpw output. If the lockout value is 0000000 then the account is enabled. All the other conditions shows a kind of lockouts.


here are some inputs to make the script.

get the user list in to a tmp file by

cat /etc/passwd | cut -d: -f1 > /tmp/userlist

read the users one by one form this file and check the lockout status and the ouput of the same can be stored in a file along with the username.

Now do a

grep -v 0000000 < file name >

to find out the locked users in the system.

Regards,
Syam
Reply
Andy Torres
Trusted Contributor

‎10-20-2005 07:46 AM

‎10-20-2005 07:46 AM

Re: fields in TCB

getprpw on my "andyt" login:

# /usr/lbin/getprpw -m lockout andyt
lockout=0000000

From the man page of getprpw:

"lockout=#######" returns the reason for a lockout in a "bit" valued
string, where 0 = condition not present, 1 is
present. The position, left to right represents:

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *

Throw all that into a script and you'll be able to cull all the locked out users.
Reply
Mark Harshman_1
Regular Advisor

‎10-20-2005 08:50 AM

‎10-20-2005 08:50 AM

Re: fields in TCB

thanks to all..useful info.
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎10-20-2005 08:53 AM

‎10-20-2005 08:53 AM

Re: fields in TCB

as far as I know, there is no visual way of telling who is locked and who is not but the following code snippet can help you.

for ID in `cat /etc/passwd | cut -d: -f1`
do
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?
case "$RC" in
0 ) case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac
done

hope this helps...
________________________________
UNIX because I majored in cryptology...
Reply
Mark Harshman_1
Regular Advisor

‎10-21-2005 02:48 AM

‎10-21-2005 02:48 AM

Re: fields in TCB

Mel, thanks for the script. If you get this msg, its not quite workin as written. Getting a msg that the "done" statement is not expected. Any help would be appreciated. thanks
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
Hanwant Verma_1
Regular Advisor

‎10-21-2005 03:00 AM

‎10-21-2005 03:00 AM

Re: fields in TCB

Use this script.. this will help you a lot

Hanwant
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎10-21-2005 03:08 AM

‎10-21-2005 03:08 AM

Re: fields in TCB

Sorry,
I was too hasty to quickly cut'N'paste the code snippet from my utility collection. This code is actually a part of a multi OS trusted system handling code, i.e., spaghetti code.

I have tested the following code on one of my systems and it is working for me right now. Hope it works for you too.


for ID in `cat /etc/passwd | cut -d: -f1`
do
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?

if [ $RC -eq 0 ]
then

case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac

else

echo "There is a problem running getprpw command."; exit 11

fi
done
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.