Re: Is there a unix command to display unix user account expiry, inactive expiry

From: Chris Jones (c.r.jonesNOSPAM_at_larc.nasa.gov)
Date: 06/10/04 

Date: Thu, 10 Jun 2004 08:36:59 -0400

Jitendra Sharma wrote:
> Dear Unix Gurus,
>
> 1. Is there a Solaris command to display configured unix user account
> expiry days i.e let's say I execute
>
> %unix usermod -e 06/11/2004 jk1
>
> How can I see this date using a unix command ? and similarly for
> inactive expiry days. I tried using passwd -s jk1 but that displays
> only Passoword information only.
>
> 2. Is there a Solaris API to convert expiry date in /etc/shadow to
> mm/dd/yy format and vice-versa ?ie.
>
> jk1:2j92MGiE0iljY:12577:7:30:7::12580: <--How can I convert 12580 to
> 06/11/2004?
>
> Any help/pointers will be highly appreciated.
>
> Thanks a ton in advance.
> Jitendra

I don't know if this is exactly what you're looking for.. but we've got
a little shell script one of the SA's here wrote that pulls out of the
shadow password file (and all of our accounts have the password aging
fields in use there) how many days until the password expires.

We expire passwords every 90 days, so here would be an example of a
shadow entry:

somelogin:<13 character encrypted password>:12558::90:14:90::

So the key is the third between-the-colon field, or the 'lastchg' field
according to the man page. The other ones that are used ar the 5th
field, or the 'max' (90) field, the 6th field, or the 'warn' (14) field,
and finally the 6th field, or the 'inactive' (90) field.

Our users have 90 days before their password expires, and 14 days prior
they get a warning when they login, and 90 day to login and change it
before it becomes inactive, or locked down (as in they have 90 days to
login and be prompted to change it *right then*... otherwise they have
to bug an SA).

Our shell script then (and this works for multiple operating systems...
at least SUN and SGI) just remotely connects to the system in question,
pulls out the 'lastchg' field... which is the date the password was last
  changed, or really is the number of days since the EPOCH time (the
time since January 1, 1970).

Then it just calculates the actual number of days since the EPOCH and
does some math to find how how old the user's password is. In our case,
if it's a number less than 90, the password hasn't expired yet... and if
it's a negative number, that's then the number of days *since* it's
expired. And remembering the 'inactive' field above of 90, if the
result is over 90 (or smaller than negative 90... ), then that user's
gonna have to get some help to get logged back in.

Here's the script:

(read in the $HOST and $USER info of course.... )

CURRENT_EPOCH=`/usr/local/bin/ssh2 $HOST runas grep $USER /etc/shadow |
cut -d: -f3`

# Find the epoch time since the user's password was last changed

EPOCH=`/bin/perl -e 'print int(time/(60*60*24))'`

# Compute the age of the user's password

AGE=`echo $EPOCH - $CURRENT_EPOCH | /bin/bc`

# Compute and display the number of days until password expiration

EXPIRE=`echo 90 - $AGE | /bin/bc`
echo "$USER's password on $HOST expires in $EXPIRE days"

Hope this helps... this saved us a *lot* of time once we finally got
around to writing a script like this!

-chris

p.s. - the perl line came *directly* out of the shadow man page on an
SGI... 

-- 
Chris Jones
(to email me, just take out the NOSPAM)
Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B)
This email address may not be added to any commercial mail list with out
my permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.

Relevant Pages