Monday, 25 March 2013

How to check that a user/password is expired in AIX?


Update: It seems there is a passwdexpired subroutine that can be loaded and Checks the user's password to determine if it has expired. However, it seems to be used as root.
This link has excellent documentation of what you would require
As demonstrated earlier in the above article, the expiry of a password is governed by the maxage attribute.
For example:
maxage=0 means never to expire
maxage=2 means will expire in two weeks.
AIX stores the time in the epoch format in seconds, so first you must determine how many seconds in a week, as this is how maxage measures the time between password expiry, that is in week numbers. There are 86400 seconds in a day, so multiplying that by seven comes in at 604800. So there are 604800 seconds in a week. The next command you need to look at is the pwdadm, which in turn queries the file /etc/security/passwd. This file holds the values in seconds when a user last changed their password. Interrogating the file or using the pwdadm command will return the same result. For this demonstration, let us query the user spoll:
# grep -p "spoll:" /etc/security/passwd
spoll:
password = EvqNjMMwJzXnc
lastupdate = 1274003127
flags = ADMCHG

# pwdadm -q spoll
spoll:
lastupdate = 1274003127
flags = ADMCHG
You can see the lastupdate value in seconds from the above output. In other words, the last time the password was changed: 1274003127
Next, using the lsuser or interrogating the file with /etc/security/user, you can determine the number of weeks before the user spoll password will expire:
# grep -p "spoll:" /etc/security/user
spoll:
admin = false
maxage = 4

# lsuser -a maxage spoll
spoll maxage=4
You can see from the above output that the number of weeks before password expiry is 4. The next task is then to multiply the number of seconds in a week by the number of weeks before the user spoll password is due to expire. In this case, it is 4: 604800 * 4
# expr 604800 \* 4
2419200
Next, you need to add the maxage value in seconds (604800 * 4) to the last time the password was changed: 2419200 + 1274003127
# expr 2419200 + 1274003127
1276422327
You can now convert that number of seconds from UNIX epoch into a more meaningful current time presentation. You can use different tools, but for this demonstration you'll use gawk with the strftime function:
# gawk 'BEGIN {print strftime("%c",'1276422327')}'
Sun Jun 13 10:45:27 BST 2010
The above calculation gives the time of the next password expiry. So, you now know that user spoll's password was last changed on ( from the pwdadm command):
# gawk 'BEGIN {print strftime("%c",'1274003127')}'
Sun May 16 10:45:27 BST 2010
And that it will expire on:
Sun Jun 13 10:45:27 BST 2010
------------------Perl script-let--------
#!/bin/perl
use POSIX qw(strftime);
$maxage=4;
$last_update = 1274003127
$max_week_seconds = 86400 * $maxage;
print strftime("%C ", localtime($max_week_seconds));

No comments:

Post a Comment