diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2011-10-06 13:25:50 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2011-10-06 13:25:50 +0200 |
| commit | ac255291751e2d635992b5a0ebc4b5f203a888b0 (patch) | |
| tree | b9a0bd44f18f131289e5d79129c0aaf800bf7ad6 | |
| parent | 6691d89275bd5251661d307bd5b5cc9ce7699b16 (diff) | |
Add new script localnotifypwexp to warn users before their password expires.
| -rwxr-xr-x | localnotifypwexp | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/localnotifypwexp b/localnotifypwexp new file mode 100755 index 0000000..0d7845f --- /dev/null +++ b/localnotifypwexp @@ -0,0 +1,144 @@ +#!/bin/bash + +set -e + +# notifypwexp - send mail to users whose passwords are expiring soon +# designed to be run daily or weekly from cron + +# call with -w for weekly mode (checks to see if warning period begins in the next 7 days +# use -w for a weekly cron job, avoiding excessive emails + +# with no option, it only checks whether we're in the warning period now +# use this for a daily cron job + +# by Dennis Williamson + +# Origin: http://serverfault.com/questions/11887 + +# ### SETUP ### + +if [[ $1 == "-w" ]] # check for expiration warnings beginning during the next seven days +then + weekmode=7 +else + weekmode=0 +fi + +admins="root postmaster" +declare -r aged=21 # minimum days after expiration before admins are emailed, set to 0 for "always" + +hostname=$(hostname --fqdn) + +# /etc/shadow is system dependent +shadowfile="/etc/shadow" +# fields in /etc/shadow +declare -r last=2 +#declare -r may=3 # not used in this script +declare -r must=4 +declare -r warn=5 +#declare -r grace=6 # not used in this script +declare -r disable=7 + +declare -r doesntmust=99999 +declare -r warndefault=7 + +passwdfile="/etc/passwd" +declare -r uidfield=3 +declare -r unamefield=1 +# UID range is system dependent +declare -r uidmin=1000 +declare -r uidmax=65534 # exclusive + +# remove the hardcoded path from these progs to use them via $PATH +# mailx is system dependent +notifyprog="/bin/mailx" +grepprog="/bin/grep" +awkprog="/usr/bin/awk" +dateprog="/bin/date" + +# comment out one of these +#useUTC="" +useUTC="-u" + +# +%s is a GNUism - set it to blank and use dateformat if you have +# a system that uses something else like epochdays, for example +epochseconds="+%s" +dateformat="" # blank for GNU when epochseconds="+%s" +secondsperday=86400 # set this to 1 for no division + +today=$(($($dateprog $useUTC $epochseconds $dateformat)/$secondsperday)) +oIFS=$IFS + +# ### END SETUP ### + +# ### MAIL TEMPLATES ### + +# use single quotes around templates, backslash escapes and substitutions +# will be evaluated upon output +usersubjecttemplate='Your password is expiring soon' +userbodytemplate='Your password on $hostname expires in $(($expdate - $today)) days. + +Please contact the IT department by email at \"helpdesk\" or at +extension 555 if you have any questions. Help is also available at +http://helpdesk.example.com/password' + +adminsubjecttemplate='User Password Expired: $user@$hostname' +adminbodytemplate='The password for user $user on $hostname expired $age days ago. + +Please contact this user about their inactive account and consider whether +the account should be disabled or deleted.' + +# ### END MAIL TEMPLATES ### + +# allow overrides (especially userbodytemplate) +declare -r localconfig=/etc/local/notifypwexp +if [ -r /etc/default/$localconfig ]; then . /etc/default/$localconfig; fi + +# get real users +users=$($awkprog -F: -v uidfield=$uidfield \ + -v unamefield=$unamefield \ + -v uidmin=$uidmin \ + -v uidmax=$uidmax \ + -- '$uidfield>=uidmin && $uidfield<uidmax \ + {print $unamefield}' $passwdfile) + +for user in $users; +do + + IFS=":" + usershadow=$($grepprog ^$user $shadowfile) + + # make an array out of it + usershadow=($usershadow) + IFS=$oIFS + + mustchange=${usershadow[$must]} + disabledate=${usershadow[$disable]:-$doesntmust} + + # skip users that aren't expiring or that are disabled + if [[ $mustchange -ge $doesntmust || $disabledate -le $today ]] ; then continue; fi; + + lastchange=${usershadow[$last]} + warndays=${usershadow[$warn]:-$warndefault} + expdate=$(($lastchange + $mustchange)) + + threshhold=$(($today + $warndays + $weekmode)) + + if [[ $expdate -lt $threshhold ]]; + then + if [[ $expdate -ge $today ]]; + then + subject=$(eval "echo \"$usersubjecttemplate\"") + body=$(eval "echo \"$userbodytemplate\"") + echo -e "$body" | $notifyprog -s "$subject" $user + else + if [[ $age -ge $aged ]]; + then + subject=$(eval "echo \"$adminsubjecttemplate\"") + body=$(eval "echo \"$adminbodytemplate\"") + echo -e "$body" | $notifyprog -s "$subject" $admins + fi + fi + fi + +done |