Hmmm...I RTFM and answered my own question. Thanks. :-)
Paul Stepowski wrote:
Jeff Vian wrote:
On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:
Hi,
I'm trying to write a script that will detect if an account is due to be (or has been) disabled so users get sent an email notification telling them to change there password or login to make sure the account is not disabled for being inactive for too long.
The password expiry part is easy enough to do but detecting the time of the last login reliably is giving me problems.
NOTE: I don't want to look at last logs to get the last login time because they are rotated off the box frequently.
# chage -l <account> Minimum: 0 Maximum: 60 Warning: 14 Inactive: 60 Last Change: Sep 10, 2004 Password Expires: Nov 09, 2004 Password Inactive: Jan 08, 2005 Account Expires: Never
So if this account is inactive for 60 days, it gets locked. I need to be able to detect this reliably. According to the man page, this information should be stored in the shadow file (see below).
# man 5 shadow
---snip---
shadow contains the encrypted password information for user's accounts and optional the password aging information.
Included is Login name Encrypted password Days since Jan 1, 1970 that password was last changed Days before password may be changed Days after which password must be changed Days before password is to expire that user is warned Days after password expires that account is disabled Days since Jan 1, 1970 that account is disabled A reserved field ---snip---
# cat /etc/shadow | grep <account> proxy:<crypted_pwd>:12671:0:60:14:60::
write your script (perl does this nicely) to parse the line in the shadow file.
In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14 would be the date when notice should be sent out. The account is automatically disabled at 12671 +60 +60 unless the password gets reset.
I've already got this bit down. No problem.
You do not really care when they last logged in, you are only concerned about password expiration and account getting disabled.
The time they last logged in has NO effect on when the password expires or the account gets disabled, only the password change date as shown in the shadow file affects that.
I don't follow you here. I understand that the chage "Inactive:" field is meant to disable accounts that have been inactive (i.e. no logins) for x days. Can you please clarify?
Thanks,
Paul
The last two values aren't set in the shadow file for this account. Is there any way to get this information? Is there some reason that these fields are not defined in the /etc/shadow file?
Thanks,
Paul