getting password expiry on *nix systems - Unix

This is a discussion on getting password expiry on *nix systems - Unix ; Hi all, how might I get whether a given user's password has expired on *nix systems. I know on HP-UX there is the getprpwnam() method which returns a pr_passwd struct. From that I can work out whether the password has ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: getting password expiry on *nix systems

  1. getting password expiry on *nix systems

    Hi all,

    how might I get whether a given user's password has expired on *nix
    systems. I know on HP-UX there is the getprpwnam() method which
    returns a pr_passwd struct. From that I can work out whether the
    password has expired or not.

    Is there somthing universal that will work on all *nix systems?

    Regards,

    John

  2. Re: getting password expiry on *nix systems

    my question could be phrased;

    "how can I tell if a user's password has been expired in Unix
    systems?" I know on unix systems you can do passwd -f to expire them
    but how might I in my program tell if the user's password has been
    expired?

    Regards,

    John


  3. Re: getting password expiry on *nix systems

    johnmmcparland wrote:
    > my question could be phrased;
    >
    > "how can I tell if a user's password has been expired in Unix
    > systems?" I know on unix systems you can do passwd -f to expire them
    > but how might I in my program tell if the user's password has been
    > expired?

    I guess it depends on what UNIX you're using, not all of them support
    passwords to expire.
    On those that do, I believe you'd find the information in /etc/shadow and
    'man shadow' will give details about the file's format.
    As far as I see it is the 8th field (colon separated), which is the number
    of days since January 1, 1970 on which it will expire (or has expired). Then
    ther's the sum of the 3rd files (last changed, counted in days since the
    epoch) and the 5th filed (maximum number of days the passwd is valid).

    Not sure whether that's true everywhere, I've checked a SysV 4.2 and Linux

    Problem is that this file is only readable to root.
    The utilities that may be available to you (e.g. passwd -s or passwd -S)
    work because they are SUID.

    Bye, Jojo



  4. Re: getting password expiry on *nix systems

    In johnmmcparland writes:

    > my question could be phrased;


    > "how can I tell if a user's password has been expired in Unix
    > systems?" I know on unix systems you can do passwd -f to expire them
    > but how might I in my program tell if the user's password has been
    > expired?


    The getpwent() system call returns information about a user's password
    entry. Among the information returned is a date object that specifies
    when the user's password will expire. If this date is in the past, the
    password has expired.

    Of course, you must be root to access this information.

    --
    John Gordon A is for Amy, who fell down the stairs
    gordon@panix.com B is for Basil, assaulted by bears
    -- Edward Gorey, "The Gashlycrumb Tinies"


  5. Re: getting password expiry on *nix systems

    John Gordon wrote:
    > In
    >
    > johnmmcparland writes:
    >
    >> my question could be phrased;

    >
    >> "how can I tell if a user's password has been expired in Unix
    >> systems?" I know on unix systems you can do passwd -f to expire them
    >> but how might I in my program tell if the user's password has been
    >> expired?

    >
    > The getpwent() system call returns information about a user's password
    > entry. Among the information returned is a date object that specifies
    > when the user's password will expire. If this date is in the past,
    > the password has expired.

    Nope, it does not. Not on the systems I checked at least. As the name
    implies getpwent returns an entry from the /etc/passwd file and tat doesn't
    contain this information.
    Same applies to getpwnam and getpwuid, they all return a stuct passwd * and
    that does not contain expiry information. On system with /etc/shadow it
    doesn't even contain a(nencrypted) password

    > Of course, you must be root to access this information.

    Nope, you don't, as /etc/passwd is world readable

    Bye, Jojo



  6. Re: getting password expiry on *nix systems

    On Apr 17, 5:57 pm, "Joachim Schmitz"
    wrote:
    > John Gordon wrote:
    > > In
    > >
    > > johnmmcparland writes:

    >
    > >> my question could be phrased;

    >
    > >> "how can I tell if a user's password has been expired in Unix
    > >> systems?" I know on unix systems you can do passwd -f to expire them
    > >> but how might I in my program tell if the user's password has been
    > >> expired?

    >
    > > The getpwent() system call returns information about a user's password
    > > entry. Among the information returned is a date object that specifies
    > > when the user's password will expire. If this date is in the past,
    > > the password has expired.

    >
    > Nope, it does not. Not on the systems I checked at least. As the name
    > implies getpwent returns an entry from the /etc/passwd file and tat doesn't
    > contain this information.
    > Same applies to getpwnam and getpwuid, they all return a stuct passwd * and
    > that does not contain expiry information. On system with /etc/shadow it
    > doesn't even contain a(nencrypted) password
    >
    > > Of course, you must be root to access this information.

    >
    > Nope, you don't, as /etc/passwd is world readable
    >
    > Bye, Jojo


    Hmm so;

    getprpwnam is out because either I'm running on Linux and don't know
    if I can guarantee the protected password database on HP-UX has been
    enabled.
    getpwnam() etc is out because it returns a struct passwd* which does
    not contain the information I need.
    getspnam() is out unless I can guarantee that shadow passwords have
    been set up.
    making a system call to logins doesn't work because I'm not bin.

    Does this seem correct? There must be a way to get something,
    anything that tells me if a user's password has expired on all unix
    systems (or at least on HPUX without shadow / protected password
    database).

    Regards,

    John

  7. Re: getting password expiry on *nix systems

    johnmmcparland wrote:
    > On Apr 17, 5:57 pm, "Joachim Schmitz"
    > wrote:
    >> John Gordon wrote:
    >>> In
    >>>
    >>> johnmmcparland writes:

    >>
    >>>> my question could be phrased;

    >>
    >>>> "how can I tell if a user's password has been expired in Unix
    >>>> systems?" I know on unix systems you can do passwd -f to expire
    >>>> them but how might I in my program tell if the user's password has
    >>>> been expired?

    >>
    >>> The getpwent() system call returns information about a user's
    >>> password entry. Among the information returned is a date object
    >>> that specifies when the user's password will expire. If this date
    >>> is in the past, the password has expired.

    >>
    >> Nope, it does not. Not on the systems I checked at least. As the name
    >> implies getpwent returns an entry from the /etc/passwd file and tat
    >> doesn't contain this information.
    >> Same applies to getpwnam and getpwuid, they all return a stuct
    >> passwd * and that does not contain expiry information. On system
    >> with /etc/shadow it doesn't even contain a(nencrypted) password
    >>
    >>> Of course, you must be root to access this information.

    >>
    >> Nope, you don't, as /etc/passwd is world readable
    >>
    >> Bye, Jojo

    >
    > Hmm so;
    >
    > getprpwnam is out because either I'm running on Linux and don't know
    > if I can guarantee the protected password database on HP-UX has been
    > enabled.
    > getpwnam() etc is out because it returns a struct passwd* which does
    > not contain the information I need.
    > getspnam() is out unless I can guarantee that shadow passwords have
    > been set up.

    Ah, getspnam()...
    I think without shadow passwords there won't be expired passwords.
    And getspname() returning an error or empty entries might be indicating
    that?

    > making a system call to logins doesn't work because I'm not bin.
    >
    > Does this seem correct? There must be a way to get something,
    > anything that tells me if a user's password has expired on all unix
    > systems (or at least on HPUX without shadow / protected password
    > database).

    Have you tried getspnam()?

    Bye, Jojo



  8. Re: getting password expiry on *nix systems

    On Apr 17, 6:15 pm, "Joachim Schmitz"
    wrote:
    > johnmmcparland wrote:
    > > On Apr 17, 5:57 pm, "Joachim Schmitz"
    > > wrote:
    > >> John Gordon wrote:
    > >>> In
    > >>>
    > >>> johnmmcparland writes:

    >
    > >>>> my question could be phrased;

    >
    > >>>> "how can I tell if a user's password has been expired in Unix
    > >>>> systems?" I know on unix systems you can do passwd -f to expire
    > >>>> them but how might I in my program tell if the user's password has
    > >>>> been expired?

    >
    > >>> The getpwent() system call returns information about a user's
    > >>> password entry. Among the information returned is a date object
    > >>> that specifies when the user's password will expire. If this date
    > >>> is in the past, the password has expired.

    >
    > >> Nope, it does not. Not on the systems I checked at least. As the name
    > >> implies getpwent returns an entry from the /etc/passwd file and tat
    > >> doesn't contain this information.
    > >> Same applies to getpwnam and getpwuid, they all return a stuct
    > >> passwd * and that does not contain expiry information. On system
    > >> with /etc/shadow it doesn't even contain a(nencrypted) password

    >
    > >>> Of course, you must be root to access this information.

    >
    > >> Nope, you don't, as /etc/passwd is world readable

    >
    > >> Bye, Jojo

    >
    > > Hmm so;

    >
    > > getprpwnam is out because either I'm running on Linux and don't know
    > > if I can guarantee the protected password database on HP-UX has been
    > > enabled.
    > > getpwnam() etc is out because it returns a struct passwd* which does
    > > not contain the information I need.
    > > getspnam() is out unless I can guarantee that shadow passwords have
    > > been set up.

    >
    > Ah, getspnam()...
    > I think without shadow passwords there won't be expired passwords.
    > And getspname() returning an error or empty entries might be indicating
    > that?
    >
    > > making a system call to logins doesn't work because I'm not bin.

    >
    > > Does this seem correct? There must be a way to get something,
    > > anything that tells me if a user's password has expired on all unix
    > > systems (or at least on HPUX without shadow / protected password
    > > database).

    >
    > Have you tried getspnam()?
    >
    > Bye, Jojo


    Yea I think you're right shadow passwords need to be set up to have
    password expiration. I'll give that a bash when I have some
    information about it though. I'm not sure if all HPUX versions have
    shadow installed although if not I suppose this won't be a problem
    anyway.

  9. Re: getting password expiry on *nix systems

    On Apr 17, 6:24 pm, johnmmcparland
    wrote:
    > On Apr 17, 6:15 pm, "Joachim Schmitz"
    > wrote:
    >
    >
    >
    > > johnmmcparland wrote:
    > > > On Apr 17, 5:57 pm, "Joachim Schmitz"
    > > > wrote:
    > > >> John Gordon wrote:
    > > >>> In
    > > >>>
    > > >>> johnmmcparland writes:

    >
    > > >>>> my question could be phrased;

    >
    > > >>>> "how can I tell if a user's password has been expired in Unix
    > > >>>> systems?" I know on unix systems you can do passwd -f to expire
    > > >>>> them but how might I in my program tell if the user's password has
    > > >>>> been expired?

    >
    > > >>> The getpwent() system call returns information about a user's
    > > >>> password entry. Among the information returned is a date object
    > > >>> that specifies when the user's password will expire. If this date
    > > >>> is in the past, the password has expired.

    >
    > > >> Nope, it does not. Not on the systems I checked at least. As the name
    > > >> implies getpwent returns an entry from the /etc/passwd file and tat
    > > >> doesn't contain this information.
    > > >> Same applies to getpwnam and getpwuid, they all return a stuct
    > > >> passwd * and that does not contain expiry information. On system
    > > >> with /etc/shadow it doesn't even contain a(nencrypted) password

    >
    > > >>> Of course, you must be root to access this information.

    >
    > > >> Nope, you don't, as /etc/passwd is world readable

    >
    > > >> Bye, Jojo

    >
    > > > Hmm so;

    >
    > > > getprpwnam is out because either I'm running on Linux and don't know
    > > > if I can guarantee the protected password database on HP-UX has been
    > > > enabled.
    > > > getpwnam() etc is out because it returns a struct passwd* which does
    > > > not contain the information I need.
    > > > getspnam() is out unless I can guarantee that shadow passwords have
    > > > been set up.

    >
    > > Ah, getspnam()...
    > > I think without shadow passwords there won't be expired passwords.
    > > And getspname() returning an error or empty entries might be indicating
    > > that?

    >
    > > > making a system call to logins doesn't work because I'm not bin.

    >
    > > > Does this seem correct? There must be a way to get something,
    > > > anything that tells me if a user's password has expired on all unix
    > > > systems (or at least on HPUX without shadow / protected password
    > > > database).

    >
    > > Have you tried getspnam()?

    >
    > > Bye, Jojo

    >
    > Yea I think you're right shadow passwords need to be set up to have
    > password expiration. I'll give that a bash when I have some
    > information about it though. I'm not sure if all HPUX versions have
    > shadow installed although if not I suppose this won't be a problem
    > anyway.


    Another thought - can I call any of these methods as a non-root user?

  10. Re: getting password expiry on *nix systems

    In "Joachim Schmitz" writes:

    > > The getpwent() system call returns information about a user's password
    > > entry. Among the information returned is a date object that specifies
    > > when the user's password will expire. If this date is in the past,
    > > the password has expired.


    > Nope, it does not. Not on the systems I checked at least. As the name
    > implies getpwent returns an entry from the /etc/passwd file and tat doesn't
    > contain this information.


    You're right. It's been too long since I worked with this stuff.

    I was actually thinking of getspnam() instead of getpwent(). However,
    that requires the use of a shadow password file, which some unixes have
    and some don't.

    --
    John Gordon A is for Amy, who fell down the stairs
    gordon@panix.com B is for Basil, assaulted by bears
    -- Edward Gorey, "The Gashlycrumb Tinies"


  11. Re: getting password expiry on *nix systems

    johnmmcparland wrote:
    > On Apr 17, 6:24 pm, johnmmcparland
    > wrote:
    >> On Apr 17, 6:15 pm, "Joachim Schmitz"
    >> wrote:
    >>
    >>
    >>
    >>> johnmmcparland wrote:
    >>>> On Apr 17, 5:57 pm, "Joachim Schmitz"
    >>>> wrote:
    >>>>> John Gordon wrote:
    >>>>>> In
    >>>>>>
    >>>>>> johnmmcparland writes:

    >>
    >>>>>>> my question could be phrased;

    >>
    >>>>>>> "how can I tell if a user's password has been expired in Unix
    >>>>>>> systems?" I know on unix systems you can do passwd -f to expire
    >>>>>>> them but how might I in my program tell if the user's password
    >>>>>>> has been expired?

    >>
    >>>>>> The getpwent() system call returns information about a user's
    >>>>>> password entry. Among the information returned is a date object
    >>>>>> that specifies when the user's password will expire. If this
    >>>>>> date is in the past, the password has expired.

    >>
    >>>>> Nope, it does not. Not on the systems I checked at least. As the
    >>>>> name implies getpwent returns an entry from the /etc/passwd file
    >>>>> and tat doesn't contain this information.
    >>>>> Same applies to getpwnam and getpwuid, they all return a stuct
    >>>>> passwd * and that does not contain expiry information. On system
    >>>>> with /etc/shadow it doesn't even contain a(nencrypted) password

    >>
    >>>>>> Of course, you must be root to access this information.

    >>
    >>>>> Nope, you don't, as /etc/passwd is world readable

    >>
    >>>>> Bye, Jojo

    >>
    >>>> Hmm so;

    >>
    >>>> getprpwnam is out because either I'm running on Linux and don't
    >>>> know if I can guarantee the protected password database on HP-UX
    >>>> has been enabled.
    >>>> getpwnam() etc is out because it returns a struct passwd* which
    >>>> does not contain the information I need.
    >>>> getspnam() is out unless I can guarantee that shadow passwords have
    >>>> been set up.

    >>
    >>> Ah, getspnam()...
    >>> I think without shadow passwords there won't be expired passwords.
    >>> And getspname() returning an error or empty entries might be
    >>> indicating that?

    >>
    >>>> making a system call to logins doesn't work because I'm not bin.

    >>
    >>>> Does this seem correct? There must be a way to get something,
    >>>> anything that tells me if a user's password has expired on all unix
    >>>> systems (or at least on HPUX without shadow / protected password
    >>>> database).

    >>
    >>> Have you tried getspnam()?

    >>
    >>> Bye, Jojo

    >>
    >> Yea I think you're right shadow passwords need to be set up to have
    >> password expiration. I'll give that a bash when I have some
    >> information about it though. I'm not sure if all HPUX versions have
    >> shadow installed although if not I suppose this won't be a problem
    >> anyway.

    >
    > Another thought - can I call any of these methods as a non-root user?

    As /etc/shadow is the file that would contain the information needed and is
    secured to allow on root read access, I'd think all this would fail for
    non-root users.

    Bye, Jojo



+ Reply to Thread