Scripting help please

[siulong2002]

Hi,

We have ftp running from our solaris box and where in the process of migrating users off this box onto another box. In the process we want change the password to a generic one for the accounts we want to disable at a later date. Does anyone know of a script that can achieve this? Basically it would need to go through a list of accounts and set them with the same password.

Thanks

 

[Annihilannic]

Set the password of one of the accounts, and then take a note of the encrypted password from /etc/shadow (the second field). For example I have used "abcdefghi".

Store the list of users in a file, I have called it users.

Then you can use this script to update /etc/shadow:

awk 'BEGIN { FS=OFS=":" } FNR==NR { users[$1]; next } $1 in users { $2="abcdefghi" } 1' users /etc/shadow > /etc/shadow.new

You may want to diff /etc/shadow /etc/shadow.new before replacing the original file just to make sure nothing unexpected has been updated.

Annihilannic.

 

[siulong2002]

Thank you very much for your response!

I will give it a try and report back.

You just saved me hours of work!!

 

[siulong2002]

I have another question in regards to this please.
I need to do some form of comparison on the existing accounts. I basically want to filter out accounts that haven't been accessed for 90 days..

Is this possible?

Thanks again.

 

[Annihilannic]

That's not as simple because the last login date information isn't stored in those files, nor any other file where it is convenient to access.

You can use the last command to get a list of the most recent logins and manually chop off the entries older than 90 days. Then you can use that list of usernames as a filter.

Annihilannic.

 

[SamBones]

I wrote a little utility a while back to tell me users that have never logged on. It uses the string "Never logged in" reported by the "[tt]finger[/tt]" command.

#!/bin/ksh

sed 's/:.*$//g' /etc/passwd | while read USER
do

    (( $(finger ${USER}|grep ^Never|wc -l) )) && print "${USER} has never logged in."

done

I guess you could change it to look for the last login time and calculate from there.

Just be aware that if you happen to reset your [tt]/var/adm/lastlog[/tt] or [tt]/var/adm/utmpx[/tt] files, everyone will be reported as never having logged in. It's one or both of these files that [tt]finger[/tt] gets the last login date from.

 

[SamBones]

This would get you people that have logged on this year...

last | sed -n '1,/Dec 31 /s/ .*$//gp' | sort | uniq

It's just scanning the "last" output for everything up until the first occurance of "Dec 31", so it's not perfect, but will get you close to what you want.

 

[siulong2002]

Thanks guys!
You've given me good ground to start from!

Thanks again.

 

[siulong2002]

Hi Annihilannic - I ran the script which you put up and although it didn't error i can't see that its done anything. Are you able to explain what each part of the script does and or what file i should be seeing changes in?

Thanks and sorry to be a pain

 

[SamBones]

Make sure you change the string "abcdefghi" to a properly encrypted password. For example, if you changed it to "IZ3BV8HMbEyJ6", their password would end up being "changeme".

Also, Anni's script creates a file called shadow.new. You need to put it into place. It needs to replace your "/etc/shadow" file.

You should check it very well first, though. Any mistakes in this file could make it impossible to log into your machine.

 

[siulong2002]

Great!
Thanks for the response SamBones