pwage-hpux-T for Trusted HPUX servers

sparcguy · March 24, 2011, 6:27am

I'm sharing this in case anybody needs it. Modified from the original solaris pwage script. This modified hpux script will check /etc/password file on hpux trusted systems search /tcb and grep the required u_succhg field. Calculate days to expiry and notify users via email.

original solaris pwage script: Check password age

for the hpux script you need to modify following

/etc/passwd file needs to have a "+email@domain.com" in the description field. You can use '+' or any other symbol but not sure if you can use another ':'

aixguy::114:106:aix administrator \+aixguy@unix.com:/home/aixguy:/usr/bin/sh
hpuxguy::103:106:hpux admin \+hpuxguy@unix.com:/home/hpuxguy:/usr/bin/sh
sparcguy:*:112:106:solaris administrator \+sparcguy@unix.com:/home/sparcguy:/usr/bin/ksh

MAXAGE=90 <-- we use 90 day expiry policy modify for yours.

#! /bin/sh
for i in `cat /etc/passwd | grep \@ | sed 's/:/+/g' | cut -d+ -f1`
do

for j in `find /tcb -name $i -exec ls -1 {} \;`
do
LASTPWCHG=`cat $j | grep u_succhg | sed 's/:/#/g' | cut -d# -f3`
DAYSEC=`echo "60*60*24" | bc`
DAWNOFTIME=`/usr/contrib/bin/perl -e 'print int(time)'`
SECSAGO=`echo "$DAWNOFTIME - $LASTPWCHG" | bc`
DAYSAGO=`echo $SECSAGO/$DAYSEC | bc`
done

MAXAGE=90
LEFTDAYS=`echo "$MAXAGE - $DAYSAGO" | bc`

if [[ "$LEFTDAYS" = 7 ]]
then
EMAILID=`cat /etc/passwd | grep $i | sed 's/:/+/g' | cut -d+ -f6`
echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" = 3 ]]
then
EMAILID=`cat /etc/passwd | grep $i | sed 's/:/+/g' | cut -d+ -f6`
echo "Your unix id $i will expire in $LEFTDAYS days" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi

if [[ "$LEFTDAYS" -lt 0 ]]
then
EMAILID=`cat /etc/passwd | grep $i | sed 's/:/+/g' | cut -d+ -f6`
echo "Please note that your unix id $i has aleaady expired" | mailx -s "`uname -n` Password aging Reminder" $EMAILID
fi
done

If you want to test modify MAXAGE=0 or 10

do not run against un-trusted hpux boxes

methyl · March 24, 2011, 11:00am

Some points.

The normal secondary delimiter in the /etc/passwd comments field is a comma. Don't try a colon - it will corrupt the passwd file. The "usermod" command should stop you creating an invalid passwd file.

This is a dodgy construct because it can give false matches in any field. In the simple case, consider usernames called "fred", "freda" and "alfred". One extreme case would be a username called "home".
A safer version in the style of your script:

grep \^${i}: /etc/passwd |

On many O/S the "for i in <open ended list>" construct will collapse when the command line becomes too long for the CLI.

Just for interest in non-trusted HP-UX you can get all the base information for this type of script from the command:

logins -xto

sparcguy · March 24, 2011, 10:07pm

thx for yur comments and suggestions mate feel free to modify or tighten to your requirements.

working on an aix version, uses also the same concept will share it once have it.