Login or Register to Ask a Question and Join Our Community


HP-UX

Password Aging script non-shadow non-trusted

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems HP-UX Password Aging script non-shadow non-trusted
# 1  
Old 07-14-2011
Password Aging script non-shadow non-trusted
basically there are several different versions of hpux, this script is for particular version that is non-trusted but also does not use any shadow files.This one is a little harder to do.

Usually the time stamp of the last password change is stored as an epoch number in the shadow file, for non-shadow untrusted servers the
only clue is the date in the third field from "passwd -s" command

#passwd -s sparcguy
sparcguy PS 06/02/11 0 91

06/02/11 this date I believe is stored in encrypted password in the format as month/day/year

I'm using a perl function str2time() which can convert dates to epoch numbers but takes the format of year(xxxx)/month(xx)/day(xx)
it will not work without this perl str2time module, so you need to check under "HTTP : Date" if you the module installed and if not you have to download it.

So to get this to work we first need to do a little formatting of the date.


As usual the description field of your userid must contain an email in the form of +email@domain.com

example:

sparcguy:<encrypted passwd>:100:100:+sparcguy@unix.com:/home/sparcguy:/usr/bin/ksh

Code:
#! /bin/sh
# Script to check password aging for non-trusted hpux servers WITHOUT shadow file
########################
#Notes: 
# date format for perl function str2time(year/month/day)
# date format for passwd -s (third field ) month/day/year
########################

cp -p /etc/passwd /etc/passwd.ORG
for i in `cat /etc/passwd.ORG | grep \@ | sed 's/:/+/g' | cut -d+ -f1`
do
OLASTPWCHG=`passwd -s $i | awk '{ print $3 }' | sed 's/\// /g' | awk '{print "20"$3"/"$1"/"$2}'`
export OLASTPWCHG
CVLASTPWCHG=`/usr/bin/perl -le 'use HTTP::Date; {print str2time($ENV{'OLASTPWCHG'});}'`
DAYSEC=`echo "60*60*24" | bc`
DAWNOFTIME=`/usr/bin/perl -e 'print int(time)'`
SECSAGO=`echo "$DAWNOFTIME - $CVLASTPWCHG" | bc`
DAYSAGO=`echo $SECSAGO/$DAYSEC | bc`
#
#we use 90 day password aging chg to yours
MAXAGE=91
LEFTDAYS=`echo "$MAXAGE - $DAYSAGO" | bc`

if [[ "$LEFTDAYS" = 7 ]]
then
	EMAILID=`cat /etc/passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" = 3 ]]
then
	EMAILID=`cat /etc//passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" -lt 0 ]]
then
	EMAILID=`cat /etc/passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Please note that your unix id $i has aleaady expired" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi
done

Last edited by pludi; 07-15-2011 at 03:57 AM..
# 2  
Old 07-15-2011
Interesting script.
Beware that the "last changed" date is always a Thursday regardless of when the user actually changed their password. Thus if I changed my password today Fri 15/07/11 the "last changed" date is Thu 14/07/11. Thus it is better to have expiry as a mutiple of 7 days e.g. 63 rather than 60 because on the second and subsequent change the expiry date becomes predictable.

Any accounts with non-expiring passwords have zeros in the "last changed" date.
# 3  
Old 07-16-2011
For non-expiring passwords in our environment that's usually it's an application userid. For such id's we do not have any password aging policies against them and we also do not insert an an email address in the description field ie +<email>@domain.

How the script knows to differentiate between a real user and an application is by the email address. You must put email addresses for real users. The script first greps any line in /etc/passwd that has an "\@" symbol and gets a list of the real user, this filters out any application userids, from there the script checks and calculates each id in the "grepped" list.
# 4  
Old 07-18-2011
Quote:
EMAILID=`cat /etc/passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
The above line (and similar lines) is likely to give accidental matches which will break the script.
It would be better as:
Quote:
EMAILID=`cat /etc/passwd.ORG | grep \^${i}: | sed 's/:/+/g' | cut -d+ -f6`
The convention for holding multiple fields in the comment field is to separate them with comma characters.

If you start with the output from " logins -xto " all your required fields for a user are available in one colon-delimited line thereby removing the need to search the passwd file umpteen times.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Linux password aging and ssh keys

Recently I have been playing with password ageing and the usage of ssh keys. I have found that if usePAM yes (default) is set in the /etc/ssh/sshd_config file then any password ageing and inactiivity can adversely affect a client with ssh keys. For example: Set PASS_MAX_DAYS to 60 in... (5 Replies)
Discussion started by: smurphy_it
5 Replies

2. Solaris

passwd cmd reenables passwd aging in shadow entry

Hi Folks, I have Solaris 10, latest release. We have passwd aging set in /etc/defalut/passwd. I have an account that passwd should never expire. Acheived by emptying associated users shadow file entries for passwd aging. When I reset the users passwd using passwd command, it re enables... (3 Replies)
Discussion started by: BG_JrAdmin
3 Replies

3. UNIX for Advanced & Expert Users

Password Aging with Openssh 5.2 SFTP Subsystem Jail

All, I enabled PAM and aged a password, but when I login it asks me for the current password then says password unchanged after entering the current password. Is this a bug? My security dept is going to want me to enable password aging and I'm stuck! Any help on what the issu is? ... (6 Replies)
Discussion started by: markdjones82
6 Replies

4. HP-UX

shadowed password file on non-trusted system?

Is it possible to have shadowed password file without implementing a Trusted System? (3 Replies)
Discussion started by: linuxdude
3 Replies

5. Shell Programming and Scripting

is there anyway of implementing password aging in NIS?

Hi , is there anyway of implementing password aging in NIS? I would say thanks in advance. Thanks and regards, HAA (1 Reply)
Discussion started by: HAA
1 Replies

6. Cybersecurity

lost root password using (SAM) trusted security

I have used the system administration management trusted security system and in the process the root password have been changed or lost. Is there any possible way to recover root status after this incident:( (5 Replies)
Discussion started by: jordanrt
5 Replies

7. UNIX for Dummies Questions & Answers

password aging

hi experts this is regarding password aging i tried searching forum but i cudnt locate given a login id, i would like to determine whether password ageing has been enabled for that and for the login id whether password has been expired on a particular point of time Thanks (4 Replies)
Discussion started by: teletype_error
4 Replies

8. UNIX for Dummies Questions & Answers

password aging help

If the command passwd -f is used, Users get the below error. I need to force users to change there passwords at initial login. Anyone know what is going on? This is on a Non-Stop UX system UX:in.login: ERROR: Your password has been expired for too long UX:in.login: TO FIX: Consult your system... (0 Replies)
Discussion started by: breigner
0 Replies

9. UNIX for Dummies Questions & Answers

remove shadow password

Does anyone know how to remove a stanza in the shadow password file if the user account has already been removed on an AIX box? I know it can be done by editing the file itself but I would prefer not to do it that way. cheers gizaa (2 Replies)
Discussion started by: gizaa
2 Replies

10. UNIX for Advanced & Expert Users

OpenSSH and password aging

Vesion 3.8.1 of OpenSSH has been compiled on a Solaris 8 host. I am having difficulties in enabling password aging to work from reading /etc/default/passwd and /etc/shadow. # passwd -f < user-id > works satisfactorily however once a password ages through due course from the settings in... (1 Reply)
Discussion started by: raylen
1 Replies
Login or Register to Ask a Question