Wednesday, March 6, 2024

script to check if a password is expiring

The environment variable $HOME for a Linux account is defined by file /etc/passwd in almost all servers' setups. Each account has an entry line in file /etc/passwd. For example, I can get my account's password expiration date by: 

$ echo $HOME
/u02/app
$ whoami
userID
$ grep userID /etc/passwd
userID:x:50378:102:Oracle EBS ID - J Y:/u02/app:/bin/ksh
$ expstr=$( chage -l $(whoami) | grep "^Password expires" | awk -F: '{ print $(NF) }' | sed -e 's/^ *//g; s/ *$//g;' )
$ echo "password for account `whoami` will expire on $expstr"
password for account userID will expire on Jul 30, 2025

But, if the account was created by AD (Active Directory), the variable $HOME is defined in AD by "Home Directory". ADHelp search page may show info:
    Unix Account
Home Directory:   /users/userID
Login Shell:          /bin/ksh

In that case, "chage" will give a different result:
$ echo $HOME
/users/userID
$ expstr=$( chage -l $(whoami) | grep "^Password expires" | awk -F: '{ print $(NF) }' | sed -e 's/^ *//g; s/ *$//g;' )
chage: user 'userID' does not exist in /etc/passwd

For an important account created in Linux, I wrote a script to email warning out before its password expires if it is a Linux account (vs. an AD account). It can be run by a cron job, such as
30 12 * * * /path/to/xxxx_scripts/checkPWDexpire.sh 2>&1

============= script checkPWDexpire.sh =============
let secs_per_day=606024
nowtime=$( date +%s )
expstr=$( chage -l $(whoami) | grep "^Password expires" | awk -F: '{ print $(NF) }' | sed -e 's/^ *//g; s/ *$//g;' )
echo "DEBUG: expstr is $expstr"
if [ "$expstr" == "never" ]; then
echo "Password never expires.";
exit 0;
fi
exptime=$( date --date "$expstr" +%s )
if [ "$exptime" -lt 1 ];        then
echo "Something is wrong.";
exit 255;   # Or, email a message out
fi
if [ "$exptime" -lt "$nowtime" ]; then
echo "Password already expired.";
exit 1;      # Or, email a message out
fi
secs_til_exp=$(expr $exptime - $nowtime)
days_til_exp=$(expr $secs_til_exp / $secs_per_day)
echo "Password expires in $days_til_exp days."
if [ "$days_til_exp" -lt 6 ]; then
# send email out
echo "Please reset manually and update PPM & Venafi environments." | mailx -s "`whoami` on `uname -n`  will expire in $days_til_exp days" me@email.com
# or 
# mailx -s "`whoami` on `uname -n`  will expire in $days_til_exp days" me@email.com < aFile.log
else
echo "All is fine.";
exit ;
fi
============== end =====================
Posted by at No comments:
Subscribe to: Posts (Atom)