On Wed, 2004-09-22 at 21:21, Paul Stepowski wrote: > Jeff Vian wrote: > > On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote: > > > >>Hi, > >> > >>I'm trying to write a script that will detect if an account > >>is due to be (or has been) disabled so users get sent an > >>email notification telling them to change there password or > >>login to make sure the account is not disabled for being > >>inactive for too long. > >> > >>The password expiry part is easy enough to do but detecting > >>the time of the last login reliably is giving me problems. > >> > >>NOTE: I don't want to look at last logs to get the last > >>login time because they are rotated off the box frequently. > >> > >># chage -l <account> > >>Minimum: 0 > >>Maximum: 60 > >>Warning: 14 > >>Inactive: 60 > >>Last Change: Sep 10, 2004 > >>Password Expires: Nov 09, 2004 > >>Password Inactive: Jan 08, 2005 > >>Account Expires: Never > >> > >>So if this account is inactive for 60 days, it gets locked. > >>I need to be able to detect this reliably. According to > >>the man page, this information should be stored in the > >>shadow file (see below). > >> > >># man 5 shadow > >>---snip--- > >>shadow contains the encrypted password information for user's accounts and optional the password aging information. > >> > >>Included is > >>Login name > >>Encrypted password > >>Days since Jan 1, 1970 that password was last changed > >>Days before password may be changed > >>Days after which password must be changed > >>Days before password is to expire that user is warned > >>Days after password expires that account is disabled > >>Days since Jan 1, 1970 that account is disabled > >>A reserved field > >>---snip--- > >> > >># cat /etc/shadow | grep <account> > >>proxy:<crypted_pwd>:12671:0:60:14:60:: > >> > > > > > > write your script (perl does this nicely) to parse the line in the > > shadow file. > > > > In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14 > > would be the date when notice should be sent out. > > The account is automatically disabled at 12671 +60 +60 unless the > > password gets reset. > > > > I've already got this bit down. No problem. > > > You do not really care when they last logged in, you are only concerned > > about password expiration and account getting disabled. > > > > The time they last logged in has NO effect on when the password expires > > or the account gets disabled, only the password change date as shown in > > the shadow file affects that. > > I don't follow you here. I understand that the chage "Inactive:" field > is meant to disable accounts that have been inactive (i.e. no logins) > for x days. Can you please clarify? > > Thanks, > > Paul > what do you mean Inactive: ? from the man page it says: "An account is considered to be inactive and is disabled if the password is not changed within the specified number of days after the password expires. An account will also be disabled on the specified day regardless of other password expiration information." By that definition, inactive means the password has not been changed. As I said, it is not based on whether the account has been used or not, but is based on the date when the password was last changed and the time alloted before it must be changed.
