Detecting inactive accounts

Paul Stepowski p.stepowski at qut.edu.au
Thu Sep 23 02:21:51 UTC 2004 


Jeff Vian wrote:
> On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:
> 
>>Hi,
>>
>>I'm trying to write a script that will detect if an account
>>is due to be (or has been) disabled so users get sent an
>>email notification telling them to change there password or
>>login to make sure the account is not disabled for being
>>inactive for too long.
>>
>>The password expiry part is easy enough to do but detecting
>>the time of the last login reliably is giving me problems.
>>
>>NOTE: I don't want to look at last logs to get the last
>>login time because they are rotated off the box frequently.
>>
>># chage -l <account>
>>Minimum:        0
>>Maximum:        60
>>Warning:        14
>>Inactive:       60
>>Last Change:            Sep 10, 2004
>>Password Expires:       Nov 09, 2004
>>Password Inactive:      Jan 08, 2005
>>Account Expires:        Never
>>
>>So if this account is inactive for 60 days, it gets locked.
>>I need to be able to detect this reliably.  According to
>>the man page, this information should be stored in the
>>shadow file (see below).
>>
>># man 5 shadow
>>---snip---
>>shadow contains the encrypted password information for user's accounts and optional the password aging information.
>>
>>Included is
>>Login name
>>Encrypted password
>>Days since Jan 1, 1970 that password was last changed
>>Days before password may be changed
>>Days after which password must be changed
>>Days before password is to expire that user is warned
>>Days after password expires that account is disabled
>>Days since Jan 1, 1970 that account is disabled
>>A reserved field
>>---snip---
>>
>># cat /etc/shadow | grep <account>
>>proxy:<crypted_pwd>:12671:0:60:14:60::
>>
> 
> 
> write your script (perl does this nicely) to parse the line in the
> shadow file.
> 
> In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14
> would be the date when notice should be sent out.
> The account is automatically disabled at 12671 +60 +60 unless the
> password gets reset.
> 

I've already got this bit down.  No problem.

> You do not really care when they last logged in, you are only concerned
> about password expiration and account getting disabled.
> 
> The time they last logged in has NO effect on when the password expires
> or the account gets disabled, only the password change date as shown in
> the shadow file affects that.

I don't follow you here.  I understand that the chage "Inactive:" field
is meant to disable accounts that have been inactive (i.e. no logins)
for x days.  Can you please clarify?

Thanks,

Paul

> 
> 
> 
>>The last two values aren't set in the shadow file for
>>this account.  Is there any way to get this information?
>>Is there some reason that these fields are not defined
>>in the /etc/shadow file?
>>
>>Thanks,
>>
>>Paul
>>
> 
> 
>

More information about the users mailing list