help with script: all accounts must be set to expire and go inactive
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
help with script: all accounts must be set to expire and go inactive
I have been assigned a project at work where all accounts on approx 450 RHEL servers must be set to expire and go inactive. There will be exceptions on service accounts and so forth, but for the majority all need to be modified.
I can use the command below to set each account individually, but that will take forever.
chage -M 90 -W 14 -I 90 "username"
Here's what I would like to do.
Create a simple script to go through /etc/passwd and check to see which accounts meet the criteria
Generate a text file and place it in /tmp
Crearte another script to read that txt file and modify the user accounts in the text file
Those are just my thoughts. If anyone has any ideas, please let me know. I am definitely not a scripter so your input will be greatly appreciated.
Do you want to invoke the same change to all users available in your /etc/passwd file? Or want to exclude some of them? Otherwise, for all users, you can do it with simple script like this:
Code:
~$ vi chagescript.sh
#!/bin/bash
awk -F":" '{print $1}' /etc/passwd > /tmp/users.txt
while read -r user
do
chage -M 90 -W 14 -I 90 $user
echo "Modification done for user $user".
done < /tmp/users.txt
Those specific accounts have not been defined as of yet.
To me, the only concern seems is to list out user accounts. However, exacctly define which account should be included and which should be excluded, then come back.
Basically, i need to scan for any accounts in the /etc/shadow file that do not end in :15975:0:90:14:90::
A cursory glance of the /etc/shadow file seems to indicate that anything with a second field of * or !! are service accounts that should be excluded.
So you need to exclude all system accounts for those login shell as defined as /bin/nologin
Code:
for i in $(awk -F":" '/nologin/ {print $1}' /etc/passwd)
do
echo "$i"
done
OR
for i in $(awk -F":" '/*/||/!!/ {print $1}' /etc/shadow) #could be more simply formatted
do
echo "$i"
done
I can redirect the output to /tmp/chage. With that output, how can I proceed with a script to set the inactive and expire flags?
Be careful when using * and ! (!!).
The passwd field can hold any character. *, ! and !! are often seen but it can also be empty or any other character!!
Also: rejecting lines with nologin is also not full-proof (check your passwd file).
If I assume the default way of encrypting passwords is used you could look for lines that have a $ as first character in field 2 and as an extra reject lines with 0:90:14:90::. Even then you might need to check if the results are all ok.
Have a look at this:
Code:
#!/bin/bash
while read THISUSER
do
# this would be exectued, its just echoed atm.
echo "chage -M 90 -W 14 -I 90 $THISUSER"
done < <( awk -F: '$2 ~ /^\$./ { if ( $0 !~ "0:90:14:90::" ) print $1 }' /etc/shadow )
The above code won't change anything, it only echo's the command's that would be executed. Change echo "chage -M 90 -W 14 -I 90 $THISUSER" to chage -M 90 -W 14 -I 90 $THISUSER if this double and triple checked.
EDIT: Do make sure you have backups of the files concerned before starting this action!
Last edited by druuna; 12-11-2013 at 12:15 PM.
Reason: Added extra warning
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
