Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361

    check for password expiration

    What is the easiest way to check when a user's password will expire and send a notification email? On Linux, I can use chage command to get "Password expires" date. But on AIX, lsuser command gives me maxage, but that doesn't tell me when it will expire.

    The password for our db2 user ids is set to expire every 90 days on some AIX/Linux servers. We don't login using db2 id (sudo from our personal id), so we don't get notified that it will soon expire. When the password expires, crontab jobs for db2 stop running.

    Can you please suggest something I can use for both AIX and Linux? Preferably, something that I can run without using root.

  2. #2
    Join Date
    Feb 2006
    Posts
    172
    Check out the info on this page and see if it is what you are looking for:
    Password expiry

  3. #3
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    What I'd like to do is to automatically reset the password, it doesn't matter what it gets reset to since we don't really need to know it. I found chpasswd command that I could use on AIX/Linux, but it looks like it requires root. Is there anything available on AIX/Linux that will allow a regular user id to reset its own password other than changing it with passwd?

  4. #4
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    If your intent is to automatically reset the password, and if you don't need to know it, then why not just change the maxage to 'never expires'.

  5. #5
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    I wish I could just change it to never expire - violates ITCS104. But there is an exception on some servers and it's set to not expire - makes sense if login/rlogin is disabled.

  6. #6
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    The chmod command has a -s option that allows the program/script to be executed as if it were run by the owner of the script rather than the login name of the user. If you were to do this, you should put the script in a directory that few people have access to.

  7. #7
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    Do you mean I create a script using root and then set SUID/GUID? Something like this:

    root@xxxxx
    > chmod ug+s test

    root@xxxxx
    > ls -l test
    -r-sr-s--- 1 root system 0 Nov 30 14:41 test


    Do I put chpasswd command in the script and schedule it in crontab of my db2 user?

  8. #8
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    Yes. (very guardedly). There should be very few members in the group that can execute this script.
    Do you know if 'chpasswd' takes its input from stdin or stderr. You can test this simply by creating a file with a password in it (twice if chpasswd asks twice) and running it as:
    Code:
    chpasswd <data
    where data contains
    Code:
    abc123
    abc123
    If chpasswd does not use stdin then you have to write a script using expect.
    Try this with a test account, or have two open sessions so that you can restore the password if the change works, or worse changes the password to something with a carriage return in it.

  9. #9
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    I've never used chpasswd before, just read about it this morning here: Password maintenance

    Looks like it takes its input from stdin.

    I'll try it on some test server.

    Thank you.

  10. #10
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    What is the output of 'ls -l chkpasswd' and 'ls -l pwgen'

  11. #11
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    pwgen is not installed:


    > ls -l /usr/bin/chpasswd
    -r-x------ 1 root security 10228 Jun 11 18:14 /usr/bin/chpasswd


    > which pwgen
    no pwgen in /usr/bin /etc /usr/sbin /usr/ucb /usr/bin/X11 /sbin /usr/java14/jre/bin /usr/java14/bin

  12. #12
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    Thanks, I'll do something with it over the weekend.

  13. #13
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    The previous output is from AIX.

    This one is from Linux:

    # which chpasswd
    /usr/sbin/chpasswd

    # ls -l /usr/sbin/chpasswd
    -rwxr-xr-x 1 root root 78872 Mar 3 2011 /usr/sbin/chpasswd

  14. #14
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,361
    Thank you. Don't spend too much of your time...

  15. #15
    Join Date
    Sep 2009
    Location
    Ontario
    Posts
    1,015
    Try this:
    Code:
    #!/bin/sh                              
    i=1                                    
    pw1=""                                 
    pw2=""                                 
    while [ $i -le 8 ]                     
    do                                     
            p=`random 74`                  
            p=`expr $p + 48`               
            if [ $p -eq 92 -o $p -eq 96 ]  
            then                           
                    p=`expr $p + 1`        
            fi                             
            pw1=`echo "obase = 8\n$p\n"|bc`
            pw1=`echo "\0$pw1\c"`          
            pw2=$pw2$pw1                   
            i=`expr $i + 1`                
    done                                   
    #echo                                  
    echo $pw2 >>/home/db2/currentpassword  
    echo db2:$pw2 |chpasswd
    Add to root's cron jobs to run once per month.
    make sure that /home/db2/currentpassword is only readable by root and db2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •