KSH Script that locks user accounts after 30 Days

[jpor]

Does anyone have a KSH script that will lock a users account if it's not been used >=30days ?

 

[jwtesch]

Why not just set the password expiration to 4 or 6 weeks, with a warning a week ahead. If the person doesn't change the password, the account will automatically lock.

 

[dsn1]

Assuming that you have perl on your system, this would do the trick. You would probably want to enhance it to ignore certain users such as perhaps root et al.

#!/bin/ksh

current_time=$(perl -e 'print time (),"\n";')

let expired_time=current_time-2592000

awk -F: '{print $1}' /etc/passwd|while read records
do

last_login_time=$(lsuser -a time_last_login $records|awk -F= '{print $2}')

if [[ "$last_login_time" = "" || $last_login_time -lt $expired_time ]]
then

chuser account_locked=true $records

fi

 

[kkvinjam]

There is an option already avaiable while creating the user, which will expire the account iof not logged in for so many days.

 

[jpor]

I have had a look at smit chuser and the only thing I can see about Expiration are these 2:

EXPIRATION date (MMDDhhmmyy) [0]

Weeks between password EXPIRATION and LOCKOUT [0]


Can you elaborate KKVINJAM on where you have seen this option ?

What I would ideally like to use is a method where a user has moved department or the company and where the login has not been used for a certain period of time. I.e 30 Days. As no one where I work at like to tell us these things.

 

[bi]

Check this thread: thread52-569350

 

[bi]

The syntax you would use is:

chuser maxage=4 <username>

The user will have to change the password after four weeks.

 

[jpor]

Bi. Thanks for the tips. But I already have our user base set-up to change passwords on a 4 weekly basis. And in my experience when someone logs in as that user it will just ask for a new password before asking what the old one was. Correct me if I'm wrong there.

The company I work for is expecting a 3rd party security audit soon and one way I want to tighten the security is stop others using peoples logins who have left.

 

[dsn1]

The maxage option , as you know, forces your users to change passwords after 4 weeks and indeed will ask them to change their password next time they log in. If you also set the maxexpired option to 4, then 4 weeks after the password expires the user will no longer be able to log in and change their password. When they attempt to log in, they will get a message telling them that their account is inaccessible and to get it reset by a system administrator.

If using this do consider that it will not lock an account that has not been used for 28 days, only an account that has not been used for 28 days since password expiry. If the person changed their password immediately before leaving it will be 8 weeks before the account locks.

The account expiry option won't help you, it's main use is to lock an account on a known date. e.g. a college might have an academic year of October to June and want to lock all student accounts after the year ends and so set an expiration date when creating the users.

Using a script like the one I suggested would explicitly lock accounts unused for 30 days and also it is v easy to get a list of locked accounts just by processing the /etc/password file and checking the account_locked flag from lsuser.

Dave

 

[jpor]

Thanks DSN1. Will have a look at your script.