Detecting inactive accounts

Paul Stepowski p.stepowski at qut.edu.au
Thu Sep 23 03:29:51 UTC 2004 

Hmmm...I RTFM and answered my own question.  Thanks. :-)

Paul Stepowski wrote:
> 
> 
> Jeff Vian wrote:
> 
>> On Wed, 2004-09-22 at 17:49, Paul Stepowski wrote:
>>
>>> Hi,
>>>
>>> I'm trying to write a script that will detect if an account
>>> is due to be (or has been) disabled so users get sent an
>>> email notification telling them to change there password or
>>> login to make sure the account is not disabled for being
>>> inactive for too long.
>>>
>>> The password expiry part is easy enough to do but detecting
>>> the time of the last login reliably is giving me problems.
>>>
>>> NOTE: I don't want to look at last logs to get the last
>>> login time because they are rotated off the box frequently.
>>>
>>> # chage -l <account>
>>> Minimum:        0
>>> Maximum:        60
>>> Warning:        14
>>> Inactive:       60
>>> Last Change:            Sep 10, 2004
>>> Password Expires:       Nov 09, 2004
>>> Password Inactive:      Jan 08, 2005
>>> Account Expires:        Never
>>>
>>> So if this account is inactive for 60 days, it gets locked.
>>> I need to be able to detect this reliably.  According to
>>> the man page, this information should be stored in the
>>> shadow file (see below).
>>>
>>> # man 5 shadow
>>> ---snip---
>>> shadow contains the encrypted password information for user's 
>>> accounts and optional the password aging information.
>>>
>>> Included is
>>> Login name
>>> Encrypted password
>>> Days since Jan 1, 1970 that password was last changed
>>> Days before password may be changed
>>> Days after which password must be changed
>>> Days before password is to expire that user is warned
>>> Days after password expires that account is disabled
>>> Days since Jan 1, 1970 that account is disabled
>>> A reserved field
>>> ---snip---
>>>
>>> # cat /etc/shadow | grep <account>
>>> proxy:<crypted_pwd>:12671:0:60:14:60::
>>>
>>
>>
>> write your script (perl does this nicely) to parse the line in the
>> shadow file.
>>
>> In this case, 12671 + 60 is the password expiration, and 12671 + 60 -14
>> would be the date when notice should be sent out.
>> The account is automatically disabled at 12671 +60 +60 unless the
>> password gets reset.
>>
> 
> I've already got this bit down.  No problem.
> 
>> You do not really care when they last logged in, you are only concerned
>> about password expiration and account getting disabled.
>>
>> The time they last logged in has NO effect on when the password expires
>> or the account gets disabled, only the password change date as shown in
>> the shadow file affects that.
> 
> 
> I don't follow you here.  I understand that the chage "Inactive:" field
> is meant to disable accounts that have been inactive (i.e. no logins)
> for x days.  Can you please clarify?
> 
> Thanks,
> 
> Paul
> 
>>
>>
>>
>>> The last two values aren't set in the shadow file for
>>> this account.  Is there any way to get this information?
>>> Is there some reason that these fields are not defined
>>> in the /etc/shadow file?
>>>
>>> Thanks,
>>>
>>> Paul
>>>
>>
>>
>>
> 
>

More information about the users mailing list