HPE Community
Operating System - HP-UX
1832275 Members
2113 Online
110041 Solutions
New Discussion

passwd question

 
SOLVED
Go to solution
Rasheed Tamton
Honored Contributor

‎10-26-2004 01:25 AM

‎10-26-2004 01:25 AM

passwd question

I have a query from the mgmt reg. the passwd.

They need a faster answer and I do not have enough time to search the web/docs. Sorry for that.

Needs to know what are the possibilities for the below:

-One session (login) per user.
-More than 5 days & user id not used = Disable
-3 month & user id not use = Archive

The system currently is not trusted. I am more concerned with the one session per user request. Please advise.

Thanks
Rasheed.
0 Kudos
11 REPLIES 11
Steven E. Protter
Exalted Contributor

‎10-26-2004 01:37 AM

‎10-26-2004 01:37 AM

Re: passwd question

You can modify /etc/profile to deal with single session only.

user=$(whoami)
usersessions=$(who | grep $user)
if [ $usersessions -ge 1 ]
then
echo "Already logged in"
exit
else
echo "logging in"
fi

Note:

If you name a user the same name as a normally running process, this code will cause users to be unjustly prevented from acesssing the system.

run ps -ef and make note of any possible conflicts, adjust your code accordingly.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Geoff Wild
Honored Contributor

‎10-26-2004 01:39 AM

‎10-26-2004 01:39 AM

Re: passwd question

For one session, modify the /etc/profile:

user=`echo $LOGNAME`
user_count=`who | grep $user | wc -l`
if ( $user_count > 1 ) then
echo "You have exceeded the max number of logins allowed"
exit
fi

More then 5 days, you will have to parse with the last command - same for 3 months...

Rgd...Geoff


Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Steven E. Protter
Exalted Contributor

‎10-26-2004 01:43 AM

‎10-26-2004 01:43 AM

Re: passwd question

Forgot to try and answer these questions.

-More than 5 days & user id not used = Disable
-3 month & user id not use = Archive

These options are very easy with trusted system. You could convert and then a few menu options in sam and you are done.

You could use the output of passwd -sa to write a custom script to do this though.

You might also need to match it against the output of the last command.

I would not delete users I would use the passwd -l command to lock the account. To actually delete the user is needless work for your operations department, or worse you, if you are stuck adding users.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Muthukumar_5
Honored Contributor

‎10-26-2004 01:57 AM

‎10-26-2004 01:57 AM

Re: passwd question

We can control One Session (login) per user as,

/etc/profile

who | grep -q '$LOGNAME'
if [[ $? -eq 0 ]]
then

echo "$LOGNAME is already logged"
sleep 2
exit 1
fi

HTH.
Easy to suggest when don't know about the problem!
0 Kudos
Muthukumar_5
Honored Contributor

‎10-26-2004 02:36 AM

‎10-26-2004 02:36 AM

Re: passwd question

We get use last successful login as,

last -1
It will give time and date informations there.

date +'%b %d' will give month date
last -1 | awk '{ print $4" "$5 }'
will give last successful login of a user

Using this time , make script to get day difference and lock the user as,

passwd -l

I did not get on this,
-3 month & user id not use = Archive
Archieve means? can you give details more on this.

HTH.
Easy to suggest when don't know about the problem!
0 Kudos
Rasheed Tamton
Honored Contributor

‎10-26-2004 07:17 PM

‎10-26-2004 07:17 PM

Re: passwd question

Hi Muthu,
I just inherited the exact words of the mgmt. Archiving means, user should be disabled (I guess!!!). Yep, it is just that.

Thanks.
0 Kudos
Sridhar Bhaskarla
Honored Contributor

‎10-26-2004 07:28 PM

‎10-26-2004 07:28 PM

Solution

Re: passwd question

Hi Rasheed,

If this is a 11.0 system with latest patches or a 11i system, then you can configure /etc/default/security file with the following option

NUMBER_OF_LOGINS_ALLOWED 1

This will limit the number of login sessions to one. There are more options available also. Check 'man security' for more options.

Aging parameters are bit tricky on non-trusted systems. Look at 'man 4 passwd' command for more options on setting up the expiration. Look at the section that explains the scenario where m>M in the password encryption string after the qualifier ",".

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Sunil Sharma_1
Honored Contributor

‎10-26-2004 07:53 PM

‎10-26-2004 07:53 PM

Re: passwd question

If you are using HPUX 11i or HP UX 11 with latest patch you can acheive it (One session per user) using /etc/default/security

These lines from man security

NUMBER_OF_LOGINS_ALLOWED
This parameter controls the number of simultaneous
logins allowed per user. This is applicable only for
non-root users.

NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are
allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N N number of logins are allowed per user.

Default value: NUMBER_OF_LOGINS_ALLOWED=0

If system is in trusted mode you can acheive More than 5 days & user id not used = Disable
use usemod command with -f option for this.




Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
0 Kudos
Steve Post
Trusted Contributor

‎10-27-2004 12:48 AM

‎10-27-2004 12:48 AM

Re: passwd question

If I were you, I would make a new forum thread about disabling accounts after 5 days.

I assume you would not have your system in a trusted mode. How would you do it by hand?
You can see people that logged in in the last X days by running the last command.

Then you would count the number of days between today and their last login. (look for date calc utility in the forums).

You could get the list of users in the last command for the last 5 days. And compare it to the list of actual users in the passwd file. The users that are in the passwd file, but not in the list of "lastusers" would need to be disabled. Also, you might have a set of users you never disable (system accounts). So now you have a list of users to disable.

You run vipw to edit the passwd file. To disable an account, put an asterisk in the password field of the user's account.

Now how would you do this automatically?
I would make a unix or perl script that runs at 1 am each night.
script part1: use sed,grep,last,awk, time-calc,date,sort, and uniq to get a list of users that logged in in the past 5 days. I'll call the list good_users.
script part2: make list of all users from the passwd file, remove system users from the list, remove already disabled users from the list. I'll call this list normal_users.
script part3: make a new list of accounts to disable: Userids in "normal_users" but not in "good_users." Call this new list evil_users.
script part4: For each userid in "evil_users", change the password for them to "*".

Now about 30 days? If the requirement is the same as the 5 day requirement, you really have nothing to do.
One last thing. What about users that have not logged in for the last 5 days, but they never logged off?
You might want to look for and script to kick out idle users.

steve
0 Kudos
doug hosking
Esteemed Contributor

‎10-27-2004 08:06 AM

‎10-27-2004 08:06 AM

Re: passwd question

If using the NUMBER_OF_LOGINS_ALLOWED feature be sure to check patches PHCO_27694 and PHCO_27721. Also, if using the grep solution, beware of the problem of doing a grep for user 'root' while user 'rootuser' is logged in. You don't want false matches on a subset of the user name!
0 Kudos
Rasheed Tamton
Honored Contributor

‎10-29-2004 11:39 PM

‎10-29-2004 11:39 PM

Re: passwd question

Thanks for the responses.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.