expire accounts with ADMCHG set

Printable View

08-19-2008, 04:37 PM
unix

expire accounts with ADMCHG set

Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
ADMCHG set ignore expiration dates. Is there anyway to change this
behavior?

We create accounts and set an initial passwd with the admchg flag
set. The accounts are supposed to expire in 90 days. BUT if the user
never logs in in that period the accounts do not expire, they can log
in with the initial passwd at any time in the future and they will
get in.

I know this can be scripted but I would prefer something inherent in
AIX to do the job before I go of the deep end and accidentally lock
everybody out....
thanx
08-19-2008, 06:14 PM
unix

Re: expire accounts with ADMCHG set

On Aug 19, 9:37 am, jthomp1...@yahoo.com wrote:[color=blue]
> Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
> ADMCHG set ignore expiration dates. Is there anyway to change this
> behavior?
>
> We create accounts and set an initial passwd with the admchg flag
> set. The accounts are supposed to expire in 90 days. BUT if the user
> never logs in in that period the accounts do not expire, they can log
> in with the initial passwd at any time in the future and they will
> get in.
>
> I know this can be scripted but I would prefer something inherent in
> AIX to do the job before I go of the deep end and accidentally lock
> everybody out....
> thanx[/color]

according to ibm support there's not. And there's no good builtin date
routine for minutes from epoch, so this becomes a C exercise or perl
maybe. Sure wish the OS did this, I hate the idea of scripting mass
lockouts out of a cron job , no doubt I will whack root or oracle at
some point.
08-19-2008, 08:51 PM
unix

Re: expire accounts with ADMCHG set

On Aug 20, 4:37 am, jthomp1...@yahoo.com wrote:[color=blue]
> Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
> ADMCHG set ignore expiration dates. Is there anyway to change this
> behavior?
>
> We create accounts and set an initial passwd with the admchg flag
> set. The accounts are supposed to expire in 90 days. BUT if the user
> never logs in in that period the accounts do not expire, they can log
> in with the initial passwd at any time in the future and they will
> get in.
>
> I know this can be scripted but I would prefer something inherent in
> AIX to do the job before I go of the deep end and accidentally lock
> everybody out....
> thanx[/color]

easiest (!) thing maybe to install "expect" and set the password to
some pre-agreed standard and that would remove this dependancy.
I run a weekly AIX audit script (but believe the AIXPert Fileset can
do this too) where I sniff around all the /etc/security files looking
for "badness"
HTH