Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are using opensolaris and Linux Machines In test environment. Is there anyway by which I can send the password expiry notifications to the concerned users?
I'm not sure about OpenSolaris, but on the Linux system I'm using at the moment...
When a password expiry date gets set with usermod, the user's entry in /etc/shadow gets updated. You could run a cron job that checks the /etc/shadow entries and does some maths with the expiry date. When the date is close, you could have the cron job send the user an email.
Here's a perl script i wrote for our redhat systems that does this. Adapt as needed:
Code:
#! /usr/bin/perl
####################################################################
# Filename: Password_Exp_Notify.pl
# Date: August 15 2006
####################################################################
# Description:
# This script emails a user when their:
# - password is within 14 days of expiring.
# - password is expired
#
# This script requires the following to work:
# - Each user needs a $HOME/.forward file that contains a valid
# email address.
# - The $HOME/.forward file must be owned by the user account
#####################################################################
$HOST=`uname -n`; chomp($HOST);
$UNIXSUPPORT="some_email@domain.com";
$epoch = int(time/(60*60*24));
open(SHADOW, "< /etc/shadow");
while (<SHADOW>) {
($USER, $encr_pass, $created, undef, $exp_days, undef, undef, undef)=split(/:/, $_);
chomp($shel = `egrep "^$USER:" /etc/passwd | cut -d: -f6`);
next if $shel =~ m(/sbin/nologin); # we don't care about accounts w/ nologin shell
$PASS_AGE = ($exp_days-($epoch-$created));
if ($encr_pass =~ m{^\!\!$} || $encr_pass =~ m{^\*$}){
$Nothing = 0; # Account is locked/password not set - skip this condition
next;
}elsif ($encr_pass =~ m{^\!.*$}) {
$Nothing = 0; # Account is administratively locked - skip this condition
next;
} elsif ($created eq "0" || $exp_days eq "99999") {
# Password aging is disabled for the account - Set the correct policy for the user
`passwd -x 90 -w 14 $USER`; # password expires in 90 days/Warning 14
`chage -d 0 $USER`; # Force password change on next login
next;
} elsif ($PASS_AGE >= 0 && $PASS_AGE <= 14) {
# password expires within 14 days - notify user
$SUBJECT = "Password expiration notification for $USER from $HOST";
&SendMail("$USER", "$SUBJECT", "
Notice: The user account $USER will expire in $PASS_AGE days on $HOST.
Login and change the password before the expiration date or the account may be locked.
Your new password must conform to the following policies:
- Minimum of 8 characters in length
- Contains at least 1 special character within the first 8 characters
- Contains at least 1 numeric character within the first 8 characters
Contact the Unix Support Team for any further assistance.
");
next;
} elsif ($PASS_AGE < 0 && $PASS_AGE > -90) {
# password is expired - notify user
$SUBJECT = "Password expiration notification for $USER from $HOST";
&SendMail("$USER", "$SUBJECT", "
Notice: The user account $USER expired $PASS_AGE days ago on $HOST.
Login and change the password or the account may be locked or removed.
Your new password must conform to the following policies:
- Minimum of 8 characters in length
- Contains at least 1 special character within the first 8 characters
- Contains at least 1 numeric character within the first 8 characters
Contact the Unix Support Team for any further assistance.
");
next;
} elsif ($PASS_AGE < -90 ) {
# Password has been expired for more than 90 days - lock and notify support for deletion
`passwd -l $USER`; # Lock the account
`/usr/sbin/usermod -s /sbin/nologin $USER`; # Set a nologin shell
$SUBJECT = "User account $USER has been expired for 90 days or more";
&SendMail("root", "$SUBJECT", "
Notice: The user account $USER expired $PASS_AGE days ago on $HOST.
Since the user has not changed the password, consider removing the account.
");
next;
}
}
close(SHADOW);
#############################################################################
### Define the subroutines below
#############################################################################
###
#1# Send a message to the user
###
sub SendMail {
my ($to, $subject, $message) = @_;
my $sendmail = '/usr/sbin/sendmail';
open(MAIL, "|$sendmail -oi -t");
print MAIL "From: $UNIXSUPPORT\n";
print MAIL "To: $to\n";
print MAIL "Subject: $subject\n\n";
print MAIL "$message\n";
close(MAIL);
}
#2 in the script do i need to modify something from:
#############################################################################
### Define the subroutines below
#############################################################################
###
#1# Send a message to the user
###
sub SendMail {
my ($to, $subject, $message) = @_;
my $sendmail = '/usr/sbin/sendmail';
open(MAIL, "|$sendmail -oi -t");
print MAIL "From: $UNIXSUPPORT\n";
print MAIL "To: $to\n";
print MAIL "Subject: $subject\n\n";
print MAIL "$message\n";
close(MAIL);
OK,
Got it to work for the local mail to each user but
i don't think it's reading $HOME/.forward How can I verify that it is reading the contents of this $HOME/.forward
Need Password Expiry Script for Unix System accounts
I am running a Linux FTP server having around 100 systems accounts for which I need password expiry script which could use "email" package and send mails for warning, expiration of accounts etc. Little twist from above post is that the accounts are not user name based but account name based and users are being defined on the GECOS field. So, need modification that mails should be sent to the IDs (mails IDs) defined on GECOS field.
If anyone can guide me on this, it will be helpful for me.
Thanks in advance.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Need Password Expiry Script for Unix System accounts
