Detecting inactive accounts
Paul Stepowski
p.stepowski at qut.edu.au
Thu Sep 23 02:21:51 UTC 2004
Jeff Vian wrote:
> On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:
>
>>Hi,
>>
>>I'm trying to write a script that will detect if an account
>>is due to be (or has been) disabled so users get sent an
>>email notification telling them to change there password or
>>login to make sure the account is not disabled for being
>>inactive for too long.
>>
>>The password expiry part is easy enough to do but detecting
>>the time of the last login reliably is giving me problems.
>>
>>NOTE: I don't want to look at last logs to get the last
>>login time because they are rotated off the box frequently.
>>
>># chage -l <account>
>>Minimum: 0
>>Maximum: 60
>>Warning: 14
>>Inactive: 60
>>Last Change: Sep 10, 2004
>>Password Expires: Nov 09, 2004
>>Password Inactive: Jan 08, 2005
>>Account Expires: Never
>>
>>So if this account is inactive for 60 days, it gets locked.
>>I need to be able to detect this reliably. According to
>>the man page, this information should be stored in the
>>shadow file (see below).
>>
>># man 5 shadow
>>---snip---
>>shadow contains the encrypted password information for user's accounts and optional the password aging information.
>>
>>Included is
>>Login name
>>Encrypted password
>>Days since Jan 1, 1970 that password was last changed
>>Days before password may be changed
>>Days after which password must be changed
>>Days before password is to expire that user is warned
>>Days after password expires that account is disabled
>>Days since Jan 1, 1970 that account is disabled
>>A reserved field
>>---snip---
>>
>># cat /etc/shadow | grep <account>
>>proxy:<crypted_pwd>:12671:0:60:14:60::
>>
>
>
> write your script (perl does this nicely) to parse the line in the
> shadow file.
>
> In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14
> would be the date when notice should be sent out.
> The account is automatically disabled at 12671 +60 +60 unless the
> password gets reset.
>
I've already got this bit down. No problem.
> You do not really care when they last logged in, you are only concerned
> about password expiration and account getting disabled.
>
> The time they last logged in has NO effect on when the password expires
> or the account gets disabled, only the password change date as shown in
> the shadow file affects that.
I don't follow you here. I understand that the chage "Inactive:" field
is meant to disable accounts that have been inactive (i.e. no logins)
for x days. Can you please clarify?
Thanks,
Paul
>
>
>
>>The last two values aren't set in the shadow file for
>>this account. Is there any way to get this information?
>>Is there some reason that these fields are not defined
>>in the /etc/shadow file?
>>
>>Thanks,
>>
>>Paul
>>
>
>
>
More information about the fedora-list
mailing list