[tjay83]

hi
How can I force user to change of password by modifying the password expiry and the grace period so that the
user has at least 1 week to login and change the password.

[eggi]

Hey There,

You can do it with the passwd command, but the variety of options ranges greatly between linux and unix distro's

On most you can do

passwd -f

to force the user to change the password the first time they log in

and (or do both options on the same invocation of passwd)

passwd -i 7

to give them a week before it expires, but the man page for passwd on your system would be most helpful. If you want to set limits for all users, you can usually find something like /etc/default/passwd (on Solaris) or /etc/default or /etc/default/useradd or /etc/passwd.defs or even /etc/pam.d/passwd - it all depends.

If you want to manually mangle the user's /etc/shadow entry, just change the 5th field (fields separated by colons ":") to 7 and the 8th field to 0 (this should be the time to expiration which would cause automatic expiration and force a password change). Again, be sure to check your system's manpage on /etc/shadow just in case the fields are slightly different.

Hope that helps

, Mike

[tjay83]

thanks eggy

How can I change the default shell of a user without using chsh -s command?
( by modifying /etc/passwd)

the user will enter the username

echo "enter username to change default shell";

read username;

## Awk or sed command change default shell

[eggi]

Hey There,

No problem. Happy to help

If you want to keep things safe, after the user enters his/her password, you could setup some sort of sudo rule (if necessary) to allow them to run

usermod -s /bin/whatevershell

or have the script just add

exec /bin/whatevershell

to the end of their .profile or .bashrc

If you wanted to replace it with sed, you could do:

username="username"
newshell="\/bin\/newshell" <-- Be sure to backslash the forward slashes or sed will quit and error out on you!
sed "/$username/s/^\(.*:\).*$/\1$newshell/" /etc/passwd

use

sed -n "/$username/s/^\(.*:\).*$/\1$newshell/p" /etc/passwd

if you just want to see the one line for a test, but don't use them when you're modifying the entire file

Best wishes,

Mike

[tjay83]

I can do it by:

echo "Enter username to change default shell:";
read username;
echo "Enter shell:";
read shelll;

test $(grep -c $username /etc/shadow) -gt 0 && chsh -s $shelll $username || echo "There is no such a user.";;

but when I tried:

echo "Enter username to change default shell:";
read username;
echo "Enter shell:";
read shelll;

sed -n "/$username/s/^\(.*:\).*$/\1$shelll/p" /etc/passwd

it doesnt work...

[eggi]

Hey man,

The -n -p will only print one line

Sorry I wasn't more specific. In your script, just use:

sed -i "/$username/s/^\(.*:\).*$/\1$shelll/" /etc/passwd

use "-i" for inline editing. If your version of sed doesn't support that, do this (more typing but same thing:

sed "/$username/s/^\(.*:\).*$/\1$shelll/" /etc/passwd >>/tmp/passwd.tmp;cp /tmp/passwd.tmp /etc/passwd

Reset perms, etc, to be paranoid (and safe

Best wishes,

Mike

[tjay83]

Thanks Eggy,
One last question

by modifying /etc/shadow
how can I Force a change of password so that user has at least 1 week to login?

I did it by using:

echo "enter username to force password change"
read user;
chage -M 7 $user;How can I do it by modifying /etc/shadow??

How can I do it by modifying /etc/shadow??

[eggi]

Hey There,

You can modify field 8 (fields separated by colons) and make that value of 7 days (in Unix/Linux seconds) since the epoch, or next week (7 days from when you force the password change).

In order to get that time, Perl is the best way to get it simply - so right now it's:

$ perl -e '@howmanysecs = (time);print @howmanysecs;'
1222583308

and next week will be:

$ perl -e '@howmanysecs = (time+604800);print @howmanysecs;'
1223188109

Add that value into field 8 and you'll have given him a week

Thanks,

Mike

[tjay83]

thanks eggy, but I didnt get the usage of Perl. Could you change ur script like mine?
First users enters username, and and so on...

echo "enter username to force password change"
read user;
chage -M 7 $user;How can I do it by modifying /etc/shadow??

eggi, on Sep 28 2008, 06:30 AM, said:

Hey There,

You can modify field 8 (fields separated by colons) and make that value of 7 days (in Unix/Linux seconds) since the epoch, or next week (7 days from when you force the password change).

In order to get that time, Perl is the best way to get it simply - so right now it's:

$ perl -e '@howmanysecs = (time);print @howmanysecs;'
1222583308

and next week will be:

$ perl -e '@howmanysecs = (time+604800);print @howmanysecs;'
1223188109

Add that value into field 8 and you'll have given him a week

Thanks,

Mike

[eggi]

Hey There,

No problem. The only issue is that the field you want to modify takes the number of seconds since Jan 1st 1970 as the expiration date I used Perl because I'm used to it.

You can get the same info from "date" in bash:

Right Now

$ date --date='2008-09-30 19:51:00' +%s
1222822260

Add 7 days

$ date --date='2008-10-07 19:51:00' +%s
1223427060

and that's the number you need for the week in field 8.


Let me know if I'm still off the radar. Sorry if this isn't helpful. It will be eventually

If you have a skeleton script written, throw it up here and I can modify it for you (or someone else can - I'm not a glory-hog

, Mike

[sylverlyon1]

You can get the same info from "date" in bash:

Right Now

$ date --date='2008-09-30 19:51:00' +%s
1222822260

Add 7 days

$ date --date='2008-10-07 19:51:00' +%s
1223427060

*********************************************************************

I tried the above code and it doesnt seem to work??

is the syntax correct??

[eggi]

Hey There,

It was for my setup. You should check the man page for date. If you're using Solaris, their native date command doesn't support this, but almost any GNU date should be able to perform this task.

Just to be clear, while I said you could do that with date in bash, the "in bash" part may have been misleading. The date command exists outside of the bash shell, so be sure that you're using the GNU version.

If you do:

Quote

date -xkdfjskfladjdsf

at the command line, any version should complain and list out whatever flag you need to pass it for the help option, which, when invoked with that, would give you better info on what version of date you're using.

Best wishes,

I'll keep checking back

Like I said, if you have a skeleton script, post it here and maybe I can be of more help to you by filling in the missing pieces. Also, let me know what OS and shell you use.

, Mike

[sylverlyon1]

hey mike,

The date function now works for me...so thanks for that. But as u stated in the previous posting, that in order to make an account expire that we have to convert that into seconds from epoch and the modify the shadow file and change the 8th field to the no of seconds. But i just checked the man page for shadow file in unix and this is what is says for the 8th field,

expire An absolute date expressed as the number of
days since the Unix Epoch (January 1, 1970).
When this number is reached the login can no
longer be used. For example, an expire value
of 13514 specifies a login expiration of
January 1, 2007.

so if we mention the seconds in the 8th field, its not gonna work!! am i rite???

If not!! how to find the no of days???
is it gonna be sec / 86400 ....to get the answer??????
regards,

[eggi]

Hey Again,

Always good to check the man pages. So many different distro's around, and things change over time

Yes, you are correct. To get the number of days, you can just divide the seconds by 86400.

Looks like you're on the right path. Nice work

, Mike

sylverlyon1, on Oct 8 2008, 07:31 AM, said:

hey mike,

The date function now works for me...so thanks for that. But as u stated in the previous posting, that in order to make an account expire that we have to convert that into seconds from epoch and the modify the shadow file and change the 8th field to the no of seconds. But i just checked the man page for shadow file in unix and this is what is says for the 8th field,

expire An absolute date expressed as the number of
days since the Unix Epoch (January 1, 1970).
When this number is reached the login can no
longer be used. For example, an expire value
of 13514 specifies a login expiration of
January 1, 2007.

so if we mention the seconds in the 8th field, its not gonna work!! am i rite???

If not!! how to find the no of days???
is it gonna be sec / 86400 ....to get the answer??????
regards,