Re: Detecting inactive accounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hmmm...I RTFM and answered my own question.  Thanks. :-)

Paul Stepowski wrote:


Jeff Vian wrote:

On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:

Hi,

I'm trying to write a script that will detect if an account
is due to be (or has been) disabled so users get sent an
email notification telling them to change there password or
login to make sure the account is not disabled for being
inactive for too long.

The password expiry part is easy enough to do but detecting
the time of the last login reliably is giving me problems.

NOTE: I don't want to look at last logs to get the last
login time because they are rotated off the box frequently.

# chage -l <account>
Minimum:        0
Maximum:        60
Warning:        14
Inactive:       60
Last Change:            Sep 10, 2004
Password Expires:       Nov 09, 2004
Password Inactive:      Jan 08, 2005
Account Expires:        Never

So if this account is inactive for 60 days, it gets locked.
I need to be able to detect this reliably.  According to
the man page, this information should be stored in the
shadow file (see below).

# man 5 shadow
---snip---
shadow contains the encrypted password information for user's accounts and optional the password aging information.


Included is
Login name
Encrypted password
Days since Jan 1, 1970 that password was last changed
Days before password may be changed
Days after which password must be changed
Days before password is to expire that user is warned
Days after password expires that account is disabled
Days since Jan 1, 1970 that account is disabled
A reserved field
---snip---

# cat /etc/shadow | grep <account>
proxy:<crypted_pwd>:12671:0:60:14:60::



write your script (perl does this nicely) to parse the line in the
shadow file.

In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14
would be the date when notice should be sent out.
The account is automatically disabled at 12671 +60 +60 unless the
password gets reset.


I've already got this bit down. No problem.

You do not really care when they last logged in, you are only concerned
about password expiration and account getting disabled.

The time they last logged in has NO effect on when the password expires
or the account gets disabled, only the password change date as shown in
the shadow file affects that.


I don't follow you here.  I understand that the chage "Inactive:" field
is meant to disable accounts that have been inactive (i.e. no logins)
for x days.  Can you please clarify?

Thanks,

Paul




The last two values aren't set in the shadow file for
this account.  Is there any way to get this information?
Is there some reason that these fields are not defined
in the /etc/shadow file?

Thanks,

Paul









[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux