Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is there a unix command to display unix user account expiry, inactive expiry

3,717 views
Skip to first unread message

Jitendra Sharma

unread,
Jun 9, 2004, 2:29:20 PM6/9/04
to
Dear Unix Gurus,

1. Is there a Solaris command to display configured unix user account
expiry days i.e let's say I execute

%unix usermod -e 06/11/2004 jk1

How can I see this date using a unix command ? and similarly for
inactive expiry days. I tried using passwd -s jk1 but that displays
only Passoword information only.

2. Is there a Solaris API to convert expiry date in /etc/shadow to
mm/dd/yy format and vice-versa ?ie.

jk1:2j92MGiE0iljY:12577:7:30:7::12580: <--How can I convert 12580 to
06/11/2004?

Any help/pointers will be highly appreciated.

Thanks a ton in advance.
Jitendra

Rich Teer

unread,
Jun 9, 2004, 2:58:37 PM6/9/04
to
On Wed, 9 Jun 2004, Jitendra Sharma wrote:

> How can I see this date using a unix command ? and similarly for
> inactive expiry days. I tried using passwd -s jk1 but that displays
> only Passoword information only.
>
> 2. Is there a Solaris API to convert expiry date in /etc/shadow to
> mm/dd/yy format and vice-versa ?ie.
>
> jk1:2j92MGiE0iljY:12577:7:30:7::12580: <--How can I convert 12580 to
> 06/11/2004?

There's no built-in command that I know of, but writing one
would be a piece of cake (one that is, however, left as an
exercise for the reader...). Man getspent and strftime and
friends.

--
Rich Teer, SCNA, SCSA

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

Message has been deleted

Chris Jones

unread,
Jun 10, 2004, 8:36:59 AM6/10/04
to

I don't know if this is exactly what you're looking for.. but we've got
a little shell script one of the SA's here wrote that pulls out of the
shadow password file (and all of our accounts have the password aging
fields in use there) how many days until the password expires.

We expire passwords every 90 days, so here would be an example of a
shadow entry:

somelogin:<13 character encrypted password>:12558::90:14:90::

So the key is the third between-the-colon field, or the 'lastchg' field
according to the man page. The other ones that are used ar the 5th
field, or the 'max' (90) field, the 6th field, or the 'warn' (14) field,
and finally the 6th field, or the 'inactive' (90) field.

Our users have 90 days before their password expires, and 14 days prior
they get a warning when they login, and 90 day to login and change it
before it becomes inactive, or locked down (as in they have 90 days to
login and be prompted to change it *right then*... otherwise they have
to bug an SA).

Our shell script then (and this works for multiple operating systems...
at least SUN and SGI) just remotely connects to the system in question,
pulls out the 'lastchg' field... which is the date the password was last
changed, or really is the number of days since the EPOCH time (the
time since January 1, 1970).

Then it just calculates the actual number of days since the EPOCH and
does some math to find how how old the user's password is. In our case,
if it's a number less than 90, the password hasn't expired yet... and if
it's a negative number, that's then the number of days *since* it's
expired. And remembering the 'inactive' field above of 90, if the
result is over 90 (or smaller than negative 90... ), then that user's
gonna have to get some help to get logged back in.

Here's the script:

(read in the $HOST and $USER info of course.... )

CURRENT_EPOCH=`/usr/local/bin/ssh2 $HOST runas grep $USER /etc/shadow |
cut -d: -f3`

# Find the epoch time since the user's password was last changed

EPOCH=`/bin/perl -e 'print int(time/(60*60*24))'`

# Compute the age of the user's password

AGE=`echo $EPOCH - $CURRENT_EPOCH | /bin/bc`

# Compute and display the number of days until password expiration

EXPIRE=`echo 90 - $AGE | /bin/bc`
echo "$USER's password on $HOST expires in $EXPIRE days"

Hope this helps... this saved us a *lot* of time once we finally got
around to writing a script like this!

-chris

p.s. - the perl line came *directly* out of the shadow man page on an
SGI...

--
Chris Jones
(to email me, just take out the NOSPAM)

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B)
This email address may not be added to any commercial mail list with out
my permission. Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.

Richard L. Hamilton

unread,
Jun 10, 2004, 11:20:58 AM6/10/04
to
In article <31ea0aae.04060...@posting.google.com>,

Are you also running NIS? Password expiration isn't (well, give or take)
supported on NIS. You could explicitly display the info in the files
with passwd -r files -s jk1, but that's only meaningful if the system
in question has files before nis for passwd in nsswitch.conf, or if jk1
is only present in files and not in nis (i.e. if this isn't the NIS
master set up to build the passwd maps from /etc/passwd and /etc/shadow).

--
mailto:rlh...@smart.net http://www.smart.net/~rlhamil

Ian G Batten

unread,
Jun 10, 2004, 11:23:26 AM6/10/04
to
In article <31ea0aae.04060...@posting.google.com>,

Jitendra Sharma <jksh...@yahoo.com> wrote:
> 2. Is there a Solaris API to convert expiry date in /etc/shadow to
> mm/dd/yy format and vice-versa ?ie.
>
> jk1:2j92MGiE0iljY:12577:7:30:7::12580: <--How can I convert 12580 to
> 06/11/2004?

/usr/bin/perl -e 'print scalar localtime(12580*86400)'

ian

swim learning

unread,
Jun 10, 2004, 4:14:21 PM6/10/04
to
Assuming 12580 is the number of days from the epoch, (Jan 1, 1970),
convert the days to seconds and feed to the perl localtime() function:

perl -e 'print scalar localtime(12580 * 24 *3600);'
Thu Jun 10 20:00:00 2004

jksh...@yahoo.com (Jitendra Sharma) wrote in message >

0 new messages