password changer script

[vti]

Hi,
I need a script to change users password every 30 days by using passwd command ,because of i don't want to migrate Enchanced Sec.

I already wrote one but it's only works at specific times like every 20th days of month ,it's not so usefull because if a user on holiday script won't work and the user gonna miss the password changing time.But i want a script which when a user get login ,it has to look login time of user and if user try to login 30th times change of it's password by user using passwd command in script.
I hope it's clear

Thanks for any help.

 

[marsd]

Probably easier to use a C program for this simply because
the time facilities are easier to manage.
I would use a time data file with a start date and then
run the program from cron or the users profile.
Here's a hint;
#include <stdio.h>
#include <time.h>

#define day 86400
#define month 2592000

void addDay(long trans);

int main(void) {
time_t mytime;

time(&mytime);
addDay((long)mytime);
return 0;
}

void addDay(long trans) {
trans = trans + day;
printf (&quot;%ld and date %s\n&quot;,trans, ctime(&(time_t)trans));
}

Have you checked your passwd docs? Easier than rebuilding
the wheel..
Password expiry information
The password aging information may be changed by the super
user with the -x, -n, -w, and -i options. The -x option
is used to set the maximum number of days a password
remains valid. After max days, the password is required
to be changed. The -n option is used to set the minimum
number of days before a password may be changed. The user
will not be permitted to change the password until min
days have elapsed. The -w option is used to set the num­
ber of days of warning the user will receive before their
password will expire. The warning occurs warn days before
the expiration, telling the user how many days until the
password is set to expire. The -i option is used to dis­
able an account after the password has been expired for a
number of days. After a user account has had an expired
password for inact days, the user may no longer sign on to
the account.

 

[vti]

hi thanks for help but i don't know how to use c programme in a script am i just need to copy and run the script.If it is like that i got an error message.
which say &quot;syntax error at line 7: `(' unexpected&quot;

That information you posted about Password Expirity is works with Enchanced Security .But i don't use that.

 

[marsd]

Vti,
No, you need to compile a c program.

You are asking for a solution to a problem that
an enhanced model was devised to fix by much better
programmers than I.
FWIW:
I don't believe this can be done well without some
C coding.
The record keeping of users, logins and relative
password ages alone is a lengthy project.

Doing a standalone program as I hinted at above,
that accepts a start date and calculates a deadline
shouldn't be that tough.

Interacting with the users and forcing them to
change their passwords while tracking the relative
dates is too much work for casual coding.
Let me know what you have for resources(languages) and interfaces(database or flat files,platform) and I
can give you a better opinion.

 

[vti]

Hi marsd
Thanks for interested.
I am sending you a script which i wrote and currently using for users.It's not a perfect one but it was for quick solution.
I don't know quite a lot about c programing but have some knowladge of shell scripting but i can guess c would be give me better result.And about database i am able to find platforms on Tru64 depend on your ideas .

My scirpts is like ;

date +&quot;%d&quot; > $HOME/date.out
read today < $HOME/date.out

date +&quot;%d%h&quot; > $HOME/date2.out
read date < $HOME/date2.out

if test $today = &quot;20&quot;
then
grep $USER.$date $HOME/$USER.history >> $HOME/$USER.history.
if test -s $HOME/$USER.history.
then
exit
else
clear
echo &quot;###################################################################&quot;
echo &quot;Some informations for users&quot;
&quot;###################################################################&quot;
echo &quot;Press enter to continue..&quot;
read a
passwd $USER > $HOME/$USER.out
read out < $HOME/$USER.out
trap &quot;&quot; 2 3 5 15
grep unchanged $HOME/$USER.out > $HOME/$USER.unchanged
grep 'Sorry.' $HOME/$USER.out > $HOME/$USER.Sorry

if test -s $HOME/$USER.unchanged
then
echo &quot;You entered wrong new password !!! try again.&quot;
sleep 2
/usr/users/test/startofprofile
fi

if test -s $HOME/$USER.Sorry
then
echo &quot;You entered wrong old password !!! try again.&quot;
sleep 2
/usr/users/test/startofprofile
fi
fi
echo $USER.$date >> $HOME/$USER.history
echo &quot;Password Changed....&quot;
sleep 3
fi

 

[marsd]

Yeah, I see what you are trying to do, and I applaud
your efforts but it is pretty trivial to break this.

If you have plaintext passwords in /etc/passwd and
only know scripting languages but have a full DB like
BDB or better yet for this: metakit, than it is possible
to write something in tcl/perl/awk that could do the
job.
OTOH: C would be perfect for this, but I don't
know the Tru64 C specifics.

FWIW here is my idea:

1) Create a master database containing
field1=user,field2=passwd,field3=startdate,field4=restrictdate,
field5=flag.

2) Write a parser for utmp/wtmp or just use who to get
a list of users on system. Either integrate this in
your script by setting up an event loop or decide to call the script through cron.

3) Foreach user currently on system get current epoch time
and add the difference to the startdate, if the startdate
is greater than restrictdate - critical period(say a week)
and the new and old passwd's are the same then send the
user a warning and set the flag. If the user is breaking the rules lock them out. If the user has changed their password update the database, renew the start and end
dates.

Personally I would arrange for this procedure to start
during init sometime, and then daemonize, waking up every
half-hour or so to run a check, then sleep again.