If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
Go Back  dBforums > Data Access, Manipulation & Batch Languages > Unix Shell Scripts > check for password expiration

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
check for password expiration

What is the easiest way to check when a user's password will expire and send a notification email? On Linux, I can use chage command to get "Password expires" date. But on AIX, lsuser command gives me maxage, but that doesn't tell me when it will expire.

The password for our db2 user ids is set to expire every 90 days on some AIX/Linux servers. We don't login using db2 id (sudo from our personal id), so we don't get notified that it will soon expire. When the password expires, crontab jobs for db2 stop running.

Can you please suggest something I can use for both AIX and Linux? Preferably, something that I can run without using root.
Reply With Quote
  #2 (permalink)  
Old
Registered User
 
Join Date: Feb 2006
Posts: 169
Check out the info on this page and see if it is what you are looking for:
Password expiry
Reply With Quote
  #3 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
What I'd like to do is to automatically reset the password, it doesn't matter what it gets reset to since we don't really need to know it. I found chpasswd command that I could use on AIX/Linux, but it looks like it requires root. Is there anything available on AIX/Linux that will allow a regular user id to reset its own password other than changing it with passwd?
Reply With Quote
  #4 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
If your intent is to automatically reset the password, and if you don't need to know it, then why not just change the maxage to 'never expires'.
Reply With Quote
  #5 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
I wish I could just change it to never expire - violates ITCS104. But there is an exception on some servers and it's set to not expire - makes sense if login/rlogin is disabled.
Reply With Quote
  #6 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
The chmod command has a -s option that allows the program/script to be executed as if it were run by the owner of the script rather than the login name of the user. If you were to do this, you should put the script in a directory that few people have access to.
Reply With Quote
  #7 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
Do you mean I create a script using root and then set SUID/GUID? Something like this:

root@xxxxx
> chmod ug+s test

root@xxxxx
> ls -l test
-r-sr-s--- 1 root system 0 Nov 30 14:41 test


Do I put chpasswd command in the script and schedule it in crontab of my db2 user?
Reply With Quote
  #8 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
Yes. (very guardedly). There should be very few members in the group that can execute this script.
Do you know if 'chpasswd' takes its input from stdin or stderr. You can test this simply by creating a file with a password in it (twice if chpasswd asks twice) and running it as:
Code:
chpasswd <data
where data contains
Code:
abc123
abc123
If chpasswd does not use stdin then you have to write a script using expect.
Try this with a test account, or have two open sessions so that you can restore the password if the change works, or worse changes the password to something with a carriage return in it.
Reply With Quote
  #9 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
I've never used chpasswd before, just read about it this morning here: Password maintenance

Looks like it takes its input from stdin.

I'll try it on some test server.

Thank you.
Reply With Quote
  #10 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
What is the output of 'ls -l chkpasswd' and 'ls -l pwgen'
Reply With Quote
  #11 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
pwgen is not installed:


> ls -l /usr/bin/chpasswd
-r-x------ 1 root security 10228 Jun 11 18:14 /usr/bin/chpasswd


> which pwgen
no pwgen in /usr/bin /etc /usr/sbin /usr/ucb /usr/bin/X11 /sbin /usr/java14/jre/bin /usr/java14/bin
Reply With Quote
  #12 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
Thanks, I'll do something with it over the weekend.
Reply With Quote
  #13 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
The previous output is from AIX.

This one is from Linux:

# which chpasswd
/usr/sbin/chpasswd

# ls -l /usr/sbin/chpasswd
-rwxr-xr-x 1 root root 78872 Mar 3 2011 /usr/sbin/chpasswd
Reply With Quote
  #14 (permalink)  
Old
∞∞∞∞∞∞
 
Join Date: Aug 2008
Location: Toronto, Canada
Posts: 2,357
Thank you. Don't spend too much of your time...
Reply With Quote
  #15 (permalink)  
Old
Programming since 1BC
 
Join Date: Sep 2009
Location: Ontario
Posts: 929
Try this:
Code:
#!/bin/sh                              
i=1                                    
pw1=""                                 
pw2=""                                 
while [ $i -le 8 ]                     
do                                     
        p=`random 74`                  
        p=`expr $p + 48`               
        if [ $p -eq 92 -o $p -eq 96 ]  
        then                           
                p=`expr $p + 1`        
        fi                             
        pw1=`echo "obase = 8\n$p\n"|bc`
        pw1=`echo "\0$pw1\c"`          
        pw2=$pw2$pw1                   
        i=`expr $i + 1`                
done                                   
#echo                                  
echo $pw2 >>/home/db2/currentpassword  
echo db2:$pw2 |chpasswd
Add to root's cron jobs to run once per month.
make sure that /home/db2/currentpassword is only readable by root and db2
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On