Detecting inactive accounts

Jeff Vian jvian10 at charter.net
Thu Sep 23 02:12:15 UTC 2004


On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:
> Hi,
> 
> I'm trying to write a script that will detect if an account
> is due to be (or has been) disabled so users get sent an
> email notification telling them to change there password or
> login to make sure the account is not disabled for being
> inactive for too long.
> 
> The password expiry part is easy enough to do but detecting
> the time of the last login reliably is giving me problems.
> 
> NOTE: I don't want to look at last logs to get the last
> login time because they are rotated off the box frequently.
> 
> # chage -l <account>
> Minimum:        0
> Maximum:        60
> Warning:        14
> Inactive:       60
> Last Change:            Sep 10, 2004
> Password Expires:       Nov 09, 2004
> Password Inactive:      Jan 08, 2005
> Account Expires:        Never
> 
> So if this account is inactive for 60 days, it gets locked.
> I need to be able to detect this reliably.  According to
> the man page, this information should be stored in the
> shadow file (see below).
> 
> # man 5 shadow
> ---snip---
> shadow contains the encrypted password information for user's accounts and optional the password aging information.
> 
> Included is
> Login name
> Encrypted password
> Days since Jan 1, 1970 that password was last changed
> Days before password may be changed
> Days after which password must be changed
> Days before password is to expire that user is warned
> Days after password expires that account is disabled
> Days since Jan 1, 1970 that account is disabled
> A reserved field
> ---snip---
> 
> # cat /etc/shadow | grep <account>
> proxy:<crypted_pwd>:12671:0:60:14:60::
> 

write your script (perl does this nicely) to parse the line in the
shadow file.

In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14
would be the date when notice should be sent out.
The account is automatically disabled at 12671 +60 +60 unless the
password gets reset.

You do not really care when they last logged in, you are only concerned
about password expiration and account getting disabled.

The time they last logged in has NO effect on when the password expires
or the account gets disabled, only the password change date as shown in
the shadow file affects that.


> The last two values aren't set in the shadow file for
> this account.  Is there any way to get this information?
> Is there some reason that these fields are not defined
> in the /etc/shadow file?
> 
> Thanks,
> 
> Paul
> 





More information about the fedora-list mailing list