Password Aging script non-shadow non-trusted

UNIX HP-UX
1

basically there are several different versions of hpux, this script is for particular version that is non-trusted but also does not use any shadow files.This one is a little harder to do.

Usually the time stamp of the last password change is stored as an epoch number in the shadow file, for non-shadow untrusted servers the
only clue is the date in the third field from "passwd -s" command

#passwd -s sparcguy
sparcguy PS 06/02/11 0 91

06/02/11 this date I believe is stored in encrypted password in the format as month/day/year

I'm using a perl function str2time() which can convert dates to epoch numbers but takes the format of year(xxxx)/month(xx)/day(xx)
it will not work without this perl str2time module, so you need to check under "HTTP : Date" if you the module installed and if not you have to download it.

So to get this to work we first need to do a little formatting of the date.

As usual the description field of your userid must contain an email in the form of \+email@domain.com

example:

sparcguy:<encrypted passwd>:100:100:+sparcguy@unix.com:/home/sparcguy:/usr/bin/ksh

#! /bin/sh
# Script to check password aging for non-trusted hpux servers WITHOUT shadow file
########################
#Notes: 
# date format for perl function str2time(year/month/day)
# date format for passwd -s (third field ) month/day/year
########################

cp -p /etc/passwd /etc/passwd.ORG
for i in `cat /etc/passwd.ORG | grep \@ | sed 's/:/+/g' | cut -d+ -f1`
do
OLASTPWCHG=`passwd -s $i | awk '{ print $3 }' | sed 's/\// /g' | awk '{print "20"$3"/"$1"/"$2}'`
export OLASTPWCHG
CVLASTPWCHG=`/usr/bin/perl -le 'use HTTP::Date; {print str2time($ENV{'OLASTPWCHG'});}'`
DAYSEC=`echo "60*60*24" | bc`
DAWNOFTIME=`/usr/bin/perl -e 'print int(time)'`
SECSAGO=`echo "$DAWNOFTIME - $CVLASTPWCHG" | bc`
DAYSAGO=`echo $SECSAGO/$DAYSEC | bc`
#
#we use 90 day password aging chg to yours
MAXAGE=91
LEFTDAYS=`echo "$MAXAGE - $DAYSAGO" | bc`

if [[ "$LEFTDAYS" = 7 ]]
then
	EMAILID=`cat /etc/passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" = 3 ]]
then
	EMAILID=`cat /etc//passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" -lt 0 ]]
then
	EMAILID=`cat /etc/passwd.ORG | grep $i | sed 's/:/+/g' | cut -d+ -f6`
        echo "Please note that your unix id $i has aleaady expired" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi
done
2

Interesting script.
Beware that the "last changed" date is always a Thursday regardless of when the user actually changed their password. Thus if I changed my password today Fri 15/07/11 the "last changed" date is Thu 14/07/11. Thus it is better to have expiry as a mutiple of 7 days e.g. 63 rather than 60 because on the second and subsequent change the expiry date becomes predictable.

Any accounts with non-expiring passwords have zeros in the "last changed" date.

3

For non-expiring passwords in our environment that's usually it's an application userid. For such id's we do not have any password aging policies against them and we also do not insert an an email address in the description field ie +<email>@domain.

How the script knows to differentiate between a real user and an application is by the email address. You must put email addresses for real users. The script first greps any line in /etc/passwd that has an "\@" symbol and gets a list of the real user, this filters out any application userids, from there the script checks and calculates each id in the "grepped" list.

4

The above line (and similar lines) is likely to give accidental matches which will break the script.
It would be better as:

The convention for holding multiple fields in the comment field is to separate them with comma characters.

If you start with the output from " logins -xto " all your required fields for a user are available in one colon-delimited line thereby removing the need to search the passwd file umpteen times.