How to check password expiry in AIX?

SanjayPasum · October 30, 2008, 10:05am

Hi All,

Could anyone please help me with the command or script for checking the password expiry for a particular userid on AIX.

Regards,
Sanjay...

shockneck · October 30, 2008, 10:35am

You need to be root to do this but there is no single command available. From the /etc/security/passwd you get the information when the password for a particular user was set ("lastupdate"). You'd then check the user's attributes to find the intervall for a forced password change. With those two values and the current date you can calculate when the current password will be expired. Thus a script would probably be written around the following commands:

[server:root] /etc/security > grep -p shockneck passwd
shockneck:
        password = GaKaqDbvE3Q.s
        lastupdate = 1223451491
        flags =

[server:root] /etc/security > perl -le 'print scalar localtime 1223451491'
Wed Oct  8 09:38:11 2008
[server:root] /etc/security >  lsuser -a maxage shockneck
shockneck maxage=13
[server:root] /etc/security >  date
Thu Oct 30 15:26:32 MEZ 2008
[server:root] /etc/security >

Search the script forum to find how to convert a date into seconds from epoch for easy comparison. You might even find several complete scripts there for accomplishing your aim.

acascianelli · October 30, 2008, 10:46am

lsuser -f [username] | grep expires

bakunin · October 30, 2008, 12:09pm

This tells you when the user account expires, not when the password expires.

bakunin

SanjayPasum · October 31, 2008, 2:07am

Thanks for replying.

I don't have access to use root. Is there anyway to check the password expiry using the normal user.

In my environments passwords will expire for every 25 days of span. so we are unable to trace it out when the passwords will expire.

I want to use a 'chage'(In Linux) type of command in AIX.

Regards,
Sanjay

aixylinux · January 4, 2009, 1:29pm

If you can write a C program, you can call the passwdexpired() system call to get this information. See:

Help -

Here's a code fragment that does the trick. Unfortunately, due to employer restrictions, I can't share the whole code with you. I hacked this out of an existing module, so it is illustrative only.

/* typical includes needed by C programs */
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <time.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>

/* this is the include needed for passwdexpired */
#include <usersec.h>

void main( int argc, char* argv[]) {
char* userid=argv[1];

char     p[100] = "";
int        rc;

rc    = putenv\( "LANG=C" \);  /* force LANG=C */

/* get password date expiration string */
rc    = passwdexpired\( userid, &p \);
if \( rc == 1  || rc == 2 \) 
\{
    printf\( "%s\\nReset the password \\n",  p\);
    exit\( 2 \);
\}

/* some other error */
if \( rc != 0 \)
\{
    if \( errno == ENOENT || errno == ESRCH \)
    \{
        fprintf\( stderr,  "User %s is not defined\\n", userid \);
    \}
    else
    \{
        fprintf\( stderr, "passwdexpired\(\) rc=%d, %s\\n", rc, strerror\(errno\) \);
    \}
    exit\( 1 \);
\}

printf\( "passwdexpired returned message:\\n'%s'\\n", p \);

}

The binary file must be setuid root, else root must run the program.