Expiring AIX passwords

[teqmem]

We're mandated to enable password aging on our AIX servers (4.3.3, 5.2). Since a lot of other organizations send us data via FTP, we have a bunch of FTP only accounts. This means that these people can't telnet and change their own passwords.

Before I enable password aging, I'd like to develop something that notifies an administrator (like me) that the passwords for these FTP-only people are expiring and thus need to be reset so the new passwords can be relayed to the users.

Does anyone know where to look to find if passwords are about to expire? The 'lsuser' doesn't seem to have such information.

Thank you in advance.

 

[drencep]

hi, if you enter the expiration date for a user, you can get the value using the "lsuser" command (i.e. lsuser -f username) under the "expires" field". user parameters are also found in /etc/security/user. i'm sure you can develop a script that will check the value of "expires" field for all the ftp users and compare them to the current date.

 

[plamb]

the date is epoch time thst you will need to convert to real dates. Or you can choose not to expire the ftp logins only.

 

[teqmem]

rencep,

From what I see, the field 'expires' indicates when the system account will expire. I just want to know when the current password will expire so it can be reset.

 

[teqmem]

Latest:

If password aging (the minage attribute or the maxage attribute) is in effect, the lastupdate attribute forces a password change when the time limit expires.

 

[DukeSSD]

If you enable anonymous access with 'write only' access they will not need a password because they can leave their email address as a password (for logging / storage wasting purposes) but won't actually have "access" to anything (read) that would require a password.
Which will save you a whole load of time telling them that their password is about to run out.

 

[teqmem]

Duke,

Unfortunately, I can't enable anonymous ftp for several reasons. Among them are:
-A DOD site must not allow anonymous ftp
-The ftp users send different types of data thus the files must be segragated from the start. Telling people to dump their files in that directory or that wouldn't be reliable.

 

[clund]

You can get the timestamp for the last change with:
pwdadm -q username

And get the current timestamp in seconds since epoch:
perl -e 'print time()'

And if the difference is greater than whatever your password policy says then you reset the password.

 

[RodKnowlton]

You'll probably want to change the ouput format, or better yet add logic to print only users that are close to expiring, but this should give you a good enough starting place.

lsuser -a maxage ALL |  perl -ne '
if (/(\S+) maxage=(\d+)/)
{
$user=$1;
                                                                                
$maxage=$2;
                                                                                
# the following is a single line up to the semicolon
$lastupdate = `lssec -f /etc/security/passwd -c  -s $user  -a lastupdate | tail
-1`;
                                                                                
$lastupdate =~ s/$user://;
                                                                                
$expires=$lastupdate + ($maxage * 7 * 24 * 3600);
                                                                                
printf ("%8s: updated: %s expires: %s\n",
   $user,
   scalar localtime $lastupdate,
   scalar localtime $expires)
   if ($lastupdate > 0);
}
' | more

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[teqmem]

I whipped something this morning and below is what I got. I tested it and worked.

# -------------------------------------------------
#!/bin/ksh
# -- find which passwords are about to expire. must run script as 'root'.
# Wed Dec 15 10:13:37 HST 2004

secsperday=86400

warnahead=2 # warn about 2 weeks before actual expiration
maxage=12 # 12 weeks of maxage

numMaxage=` expr $maxage \* 7 \* $secsperday`
numWarnahead=`expr $warnahead \* 7 \* $secsperday`

# -- Need to figure # of seconds since 01/01/1970
jdate=`date +%j`
curyr=`date +%Y`
numyrs=`expr $curyr - 1970`
leaps=`expr \( $curyr - 1968 \) \/ 4`
isleap=`expr $curyr \% 4`
if [ ${isleap} -eq 0 ]; then
days=`expr \( $numyrs \* 365 \) + \( $leaps - 1 \) + $jdate`
else
days=`expr \( $numyrs * 365 \) + $leaps + $jdate`
fi
# -- Secs is = to elapsed seconds between 1/1/1970 and 11:59pm today
numSince1970=`expr $days \* $secsperday`
echo "numSince1970=$numSince1970"

# -- find those users which are not locked
list=`lsuser -a account_locked ALL | grep false | sed -e 's/ .*$//'`

for user in $list; do
echo "$user"
lastupd=`pwdadm -q $user | grep 'lastupdate' | sed -e 's/^.*= //`
if [ "$lastupd" = "" ]; then
continue;
fi

numSched=`expr $lastupd + $numMaxage - $numWarnahead`

if [ $numSched -lt $numSince1970 ]; then
echo " ***Need to reset password for $user"
# -- notify administrator
# ...
fi
done
# -------------------------------------------------