Password problem

[shoux]

Hi expert,

At present, I'm having a password problem.The problem is when user login ID and password is show invalid login name and password message.This happen when users did not change the password when the password expired.For your info, in my environment, users are not allows to access smit menu and AIX prompt.However,I have created a script in order them to change the password but the script does not force them to change when the expired.
for temporary solution, I have to changes their password as a default (login user1 pass: user1) in order them to change with new one.

is there any better solution to urge them to change their password when the password expired soon. for instance,one week before expired when the users login the ID the system will automaticaly urge to change a new password.

Thank you in advance, your assistance will be a great help
for me

Regards
Rosli

 

[vickersdc]

You can set the number of days a warning message is sent to a user before password expiry through smit.

I presume that you have access to smit, even if the users don't ;-)

Cheers.
Dave V.

 

[shoux]

Hi dave !

Yes, I have setup the warning message trough smit. in fact all users are follows default setup. below is the current setup

pwdwarntime = 8


Thank you

Regards
Shoux

 

[crowe]

their is an option in SMIT to warn the user X days before their passwd expires. Look at:

security & users > passwords > change / show passwd attributes for a user

crowe

 

[shoux]

Hi crowe,
Yes, I have setup warn message in user password profile (/ect/security/passwd).
what I meant is, is there any other facility to URGE users to change their password immediatelly after grace period.For example, when users login the ID and password, the system will automatically prompt the below message legibly for the users’ better understanding :

login : user1
user1 password : *****
your password has been expired too long. please change with new password
user1 old password : *****
user1 new password : *****

can this be done by script ? if anyone have any solution, please forward to me SOONEST as the password problem/ error is quite critical at the moment.

Thanking you in advance.

Kind regards
SHOUX

 

[vickersdc]

I can think of ways to script this but it's not a particularly neat solution. As userids can be expired on a certain date, instead of worrying about the passwords why not write a script (placed in .profile) that will check the date of expiration - once it gets to 5 days (or whatever) before expiry date run the passwd command and then (crucially) update the relevant entries in order to set a new expiration date.

Just an idea.

Cheers
Dave V.

 

[shoux]

Hi dave

Thank your for this great idea.I found it helpful but is it possible for you to implement it in scripts. I need your guidance as I am not expert in script myself.for instance some like the message that I have posted earlier.

I realy appreciate your assistance.

other expert you are welcome to help solve this problem


Regards
Shoux 26/9/01

 

[vickersdc]

Actually writing the script may take me a day or two as I'll have to do it when I get a spare moment, but this is the thinking (and a few notes):

1. This won't work if you use NIS as the chuser command should not be used in conjunction with NIS.
2. The script needs to run as root (SUID it).
3. The script should be called from .profile to run whenever the user logs in.

#!/usr/bin/ksh
# Get expiry date of account from /etc/security/user
# The format is in MMDDhhmmYY format (month, day, hour, minute, year
# Records in this file are separated by a blank line.
# The field required is "expires = MMDDhhmmYY" and then
# chop out the date and disassemble it into it's
# constituent parts.

# Get today's date and compare against the expiry date.
# This is quite a chore as you need to account for month end
# year ends and leap years.

# If the difference is 7 days or less then run passwd command, update /etc/security/user and then exit.
# with new expiry date.
# ...else exit.


As you can see this is not the easiest of scripts to write and I wonder if anyone else has a better, neater solution?

All the same, I'll try and set some time aside to write it out and test it.

Cheers,
Dave V.

 

[vickersdc]

Forget all that about leap years and stuff - just add a few months to the expiry date!

I've not finished yet but here's the code to recalculate the expiry date - I'll try and finish it off tomorrow:

#!/usr/bin/ksh
USER=$LOGIN
FILE="/etc/security/user"
patternMatch="/$USER/,/expires/p"

# get expiry date of account
expiry=$( sed -n $patternMatch $FILE | tail -1 | awk '{print $3}' )
user_expiry_month=$( echo $expiry | cut -c1,2 )
user_expiry_main=$( echo $expiry | cut -c3-8 )
user_expiry_year=$( echo $expiry | cut -c9,10 )

# add 3 months to the expiry date.
# if month greater than 12 then add 1 to year.
user_expiry_month=$(( $user_expiry_month + 3 ))
if [ $user_expiry_month -gt 12 ]
then
user_expiry_month=$(( $user_expiry_month - 12 ))
user_expiry_month="0${user_expiry_month}"
user_expiry_year=$(( $user_expiry_year + 1 ))
if [ $user_expiry_year -lt 10 ]
then
user_expiry_year="0${user_expiry_year}"
fi
fi

# print current expiry date
echo "Current expiry date: $expiry"

# print new expiry date
echo "New expiry date: ${user_expiry_month}${user_expiry_main}${user_expiry_year}"




I'll aim to finish it all off tomorrow. You'll need to run this as root. Check it out

 

[vickersdc]

Well here it is - place this script somewhere, suid root and run it from the .profile in the users home directory. Definitely a good idea to place a trap command in the script as well to ensure that users don't try to use <CTRL-C> or similar to get a [root]-shell ;-) Try something like 'trap &quot; &quot; 1 3 15' after the variable assignments.


#!/usr/bin/ksh
# set constants and variables
USER=$LOGIN
FILE=&quot;/etc/security/user&quot;
patternMatch=&quot;/$USER/,/expires/p&quot;

# get expiry date of account
expiry=$( sed -n $patternMatch $FILE | tail -1 | awk '{print $3}' )
user_expiry_month=$( echo $expiry | cut -c1,2 )
user_expiry_main=$( echo $expiry | cut -c3-8 )
user_expiry_year=$( echo $expiry | cut -c9,10 )

current_expiry_month=$user_expiry_month
current_expiry_day=$( echo $expiry | cut -c3,4 )

# add 3 months to the expiry date.
# if month greater than 12 then add 1 to year.
user_expiry_month=$(( $user_expiry_month + 3 ))
if [ $user_expiry_month -gt 12 ]
then
user_expiry_month=$(( $user_expiry_month - 12 ))
user_expiry_month=&quot;0${user_expiry_month}&quot;
user_expiry_year=$(( $user_expiry_year + 1 ))
if [ $user_expiry_year -lt 10 ]
then
user_expiry_year=&quot;0${user_expiry_year}&quot;
fi
fi

# store the new expiry date - this is all
# one line.
new_expiry_date=$( echo &quot;New expiry date: ${user_expiry_month}${user_expiry_main}${user_expiry_year}&quot; )

# check the expiry month and day
# against current month and day
current_month=$( date +%m )
current_month=$( date +%d )

if [ $current_month -eq $current_expiry_month ]
then
days_to_go=$(( $current_expiry_day - $current_day ))
if [ $days_to_go -lt 7 ] && [ $days_to_go -gt 0 ]
then
tput clear
echo &quot;YOU MUST CHANGE YOUR PASSWD\n&quot;
# run the passwd command - uncomment next line
# passwd
# update users expiry date
chuser &quot;expires = $new_expiry_date&quot; $USER
fi
fi
# END OF SCRIPT

I have to add as well - TEST IT BEFORE USING IT !!!!

I've done some basic testing and it seems OK, but I don't accept any responsibility for it's use! Try it somewhere safe first!

Hope it helps.
Dave V.

 

[shoux]

Hi Dave,

Again, Thanks for your great help. I will test the scripts and let you know the status later.

Regards,
Shoux 28/9/01

 

[ElgisRamon]

I think you only need to set the [tt]maxexpired[/tt] attribute for users to any other value different of -1.

Try man /etc/security/user
I hope it works...
Unix was made by and for smart people.