Question: Email warning of impending password expiration
Posted by ajt on Fri 3 Jun 2005 at 12:01
At work we are forced to expire the root password every 60 days. I would have root locked and sudo for everything, but to comply with SOX rules IT had mandated this silly policy. The snag is we often don't login, so when we need to, the password has expired and we can't become root. I just sudo to root, but not other staff - they reboot into single mode, and then set a new password...
I'm about to write a small bash script to look at the /etc/shadow file, and work out when things will expire, and then send an email warning of the exipration. I'd run it daily on cron job. This seems like an obvious admin tool, are there any packages for this already?
Thanks in advance.
[ Send Message | View Serge's Scratchpad | View Weblogs ]
Do you trust them when booting in single mode?
[ Parent | Reply to this comment ]
--
Adam
[ Parent | Reply to this comment ]
Ah. I see sense has been thrown out long ago ;^)
It's often important to be able to cope with such environments. It's sadly common that companies seem to "work" with management making decisions and handing orders down, when in fact a working system has the lowest level (down to laws of physics and causality) defining the rules and delegating their application "upwards".
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I'm actually suprised there isn't already the option to do this. The closest thing I can see is the chage command supporting the ability to warn users for N days before their account will be locked.
I think a script would be fairly simple to write to do the job, and it looks like that's your best bet.
If the users aren't logging in for extended periods of time the warnings will be useless.
To be honest I'd question the policy itself, but I know there are times when I've been asked to enforce bogus rules, so I can understand that may be futile, or not an option.
I'd certainly be telling people not to reboot the machine to change their passwords though - that's just brutal.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
regards, LiNiO
[ Parent | Reply to this comment ]
#!/usr/bin/perl -w
#
# passwd.expire.cron: sample expiry notification script for use as a cronjob
#
# Copyright 1999 by Ben Collins , complete rights granted
# for use, distribution, modification, etc.
#
# Usage:
# edit the listed options, including the actual email, then rename to
# /etc/cron.daily/passwd
#
# If your users don't have a valid login shell (ie. they are ftp or mail
# users only), they will need some other way to change their password
# (telnet will work since login will handle password aging, or a poppasswd
# program, if they are mail users).
# #
# should be same as /etc/adduser.conf
$LOW_UID=1000;
$HIGH_UID=29999;
# this let's the MTA handle the domain,
# set it manually if you want. Make sure
# you also add the @ like "\@domain.com"
$MAIL_DOM="";
# #
# Set the current day reference
$curdays = int(time() / (60 * 60 * 24));
# Now go through the list
Open(SH, "< /etc/shadow");
while () {
@shent = split(':', $_);
@userent = getpwnam($shent[0]);
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
$shent[4] != -1 && $shent[4] != 0 &&
$shent[5] != -1 && $shent[5] != 0) {
$daysleft = ($shent[2] + $shent[4]) - $curdays;
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
if ($daysleft < 0) { next; }
Open(MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
print MAIL < Your account will expire in $daysleft $days. Please change your password before
then or your account will expire.
EOF
close (MAIL);
# This makes sure we also get a list of almost expired users
print "$shent[0]'s account will expire in $daysleft days\n";
}
}
@userent = getpwent();
}
[ Parent | Reply to this comment ]
http://asenjo.nl/natxete/checkpasswd
[ Parent | Reply to this comment ]
The script does not seem to be at http://asenjo.nl/natxete/checkpasswd an longer.
Could you please tell me where I could get a copy?
thanks!
Rob
[ Parent | Reply to this comment ]
I am looking for this script too, maybe somebody can post it here.
Thanks,
--
Gerald
holl.co.at
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
--
Adam
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
# Set the current day reference
$curdays = int(time() / (60 60 24));
# Now go through the list
open(SH, "< /etc/shadow");
while (<sh>) {
@shent = split(':', $_);
@userent = getpwnam($shent[0]);
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
$shent[4] != -1 && $shent[4] != 0 &&
$shent[5] != -1 && $shent[5] != 0) {
$daysleft = ($shent[2] + $shent[4]) - $curdays;
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
if ($daysleft < 0) { next; }
open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
print MAIL
[ Parent | Reply to this comment ]