Question: Email warning of impending password expiration

Posted by ajt on Fri 3 Jun 2005 at 12:01

Tags:

At work we are forced to expire the root password every 60 days. I would have root locked and sudo for everything, but to comply with SOX rules IT had mandated this silly policy. The snag is we often don't login, so when we need to, the password has expired and we can't become root. I just sudo to root, but not other staff - they reboot into single mode, and then set a new password...

I'm about to write a small bash script to look at the /etc/shadow file, and work out when things will expire, and then send an email warning of the exipration. I'd run it daily on cron job. This seems like an obvious admin tool, are there any packages for this already?

Thanks in advance.

 

 


Posted by Serge (213.119.xx.xx) on Fri 3 Jun 2005 at 20:54
[ Send Message | View Serge's Scratchpad | View Weblogs ]
Other staff is stupid? Educate other staff?


Do you trust them when booting in single mode?

[ Parent | Reply to this comment ]

Posted by ajt (82.133.xx.xx) on Fri 3 Jun 2005 at 21:22
[ Send Message | View Weblogs ]
Have tried, but policy comes before logic... Bringing a production SAP system offline to reboot into single mode, just to reset root password is insane - I know, but I'm not in charge!

--
Adam

[ Parent | Reply to this comment ]

Posted by Anonymous (130.231.xx.xx) on Thu 9 Jun 2005 at 11:47
..."production SAP system"...

Ah. I see sense has been thrown out long ago ;^)

It's often important to be able to cope with such environments. It's sadly common that companies seem to "work" with management making decisions and handing orders down, when in fact a working system has the lowest level (down to laws of physics and causality) defining the rules and delegating their application "upwards".

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 4 Jun 2005 at 12:06
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I'm actually suprised there isn't already the option to do this. The closest thing I can see is the chage command supporting the ability to warn users for N days before their account will be locked.

I think a script would be fairly simple to write to do the job, and it looks like that's your best bet.

If the users aren't logging in for extended periods of time the warnings will be useless.

To be honest I'd question the policy itself, but I know there are times when I've been asked to enforce bogus rules, so I can understand that may be futile, or not an option.

I'd certainly be telling people not to reboot the machine to change their passwords though - that's just brutal.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (80.55.xx.xx) on Sun 5 Jun 2005 at 11:29
hint: passwd -S root

regards, LiNiO

[ Parent | Reply to this comment ]

Posted by Anonymous (80.126.xx.xx) on Sun 5 Jun 2005 at 18:02
A long time ago I had the same problem and then found this out, never looked back:


#!/usr/bin/perl -w
#
# passwd.expire.cron: sample expiry notification script for use as a cronjob
#
# Copyright 1999 by Ben Collins , complete rights granted
# for use, distribution, modification, etc.
#
# Usage:
# edit the listed options, including the actual email, then rename to
# /etc/cron.daily/passwd
#
# If your users don't have a valid login shell (ie. they are ftp or mail
# users only), they will need some other way to change their password
# (telnet will work since login will handle password aging, or a poppasswd
# program, if they are mail users).

# #

# should be same as /etc/adduser.conf
$LOW_UID=1000;
$HIGH_UID=29999;

# this let's the MTA handle the domain,
# set it manually if you want. Make sure
# you also add the @ like "\@domain.com"
$MAIL_DOM="";

# #

# Set the current day reference
$curdays = int(time() / (60 * 60 * 24));

# Now go through the list

Open(SH, "< /etc/shadow");
while () {
@shent = split(':', $_);
@userent = getpwnam($shent[0]);
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
$shent[4] != -1 && $shent[4] != 0 &&
$shent[5] != -1 && $shent[5] != 0) {
$daysleft = ($shent[2] + $shent[4]) - $curdays;
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
if ($daysleft < 0) { next; }
Open(MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
print MAIL < Your account will expire in $daysleft $days. Please change your password before
then or your account will expire.
EOF
close (MAIL);
# This makes sure we also get a list of almost expired users
print "$shent[0]'s account will expire in $daysleft days\n";
}
}
@userent = getpwent();
}

[ Parent | Reply to this comment ]

Posted by Anonymous (80.126.xx.xx) on Sun 5 Jun 2005 at 18:07
looks like privoxy is modifiying some of the lines for me, sorry about that. I have set it on my webserver (dsl line, hopefully i do not get slashdotted ...)

http://asenjo.nl/natxete/checkpasswd

[ Parent | Reply to this comment ]

Posted by robfantini (129.44.xx.xx) on Fri 24 Jun 2005 at 18:00
[ Send Message ]
Hello,
The script does not seem to be at http://asenjo.nl/natxete/checkpasswd an longer.

Could you please tell me where I could get a copy?

thanks!
Rob

[ Parent | Reply to this comment ]

Posted by K4sperl (212.33.xx.xx) on Fri 19 Aug 2005 at 12:33
[ Send Message ]
Hello,

I am looking for this script too, maybe somebody can post it here.

Thanks,
--
Gerald
holl.co.at

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Mon 6 Jun 2005 at 15:40
[ Send Message | View Weblogs ]
Thanks, an easy way of getting at the age data.

--
Adam

[ Parent | Reply to this comment ]

Posted by Anonymous (69.68.xx.xx) on Tue 7 Jun 2005 at 13:35
passwordless logins with SSH would be a great answer.

[ Parent | Reply to this comment ]

Posted by Anonymous (130.231.xx.xx) on Thu 9 Jun 2005 at 11:50
Using keys to login to systems with expiring and thus changing passwords is a neat way to forget those passwords. You never have to use them leads to not having to remembering them. The odd code gets disassociated and thus forgotten. BTDTGTFTF.

[ Parent | Reply to this comment ]

Posted by Anonymous (192.158.xx.xx) on Tue 14 Feb 2006 at 15:50
# </config> #

# Set the current day reference
$curdays = int(time() / (60 60 24));

# Now go through the list

open(SH, "< /etc/shadow");
while (<sh>) {
@shent = split(':', $_);
@userent = getpwnam($shent[0]);
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
$shent[4] != -1 && $shent[4] != 0 &&
$shent[5] != -1 && $shent[5] != 0) {
$daysleft = ($shent[2] + $shent[4]) - $curdays;
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
if ($daysleft < 0) { next; }
open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
print MAIL

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1057 votes ~ 6 comments )