Init password expiry notifier
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
parent
e029bd6231
commit
ec9366e51c
150
scripts/bash/notifypwexp.sh
Executable file
150
scripts/bash/notifypwexp.sh
Executable file
@ -0,0 +1,150 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# notifypwexp - send mail to users whose passwords are expiring soon
|
||||||
|
# designed to be run daily or weekly from cron
|
||||||
|
|
||||||
|
# original code by Dennis Williamson
|
||||||
|
# modified by Georg Pfuetzenreuter <georg@lysergic.dev>
|
||||||
|
|
||||||
|
# ### SETUP ###
|
||||||
|
|
||||||
|
#for weekly cron:
|
||||||
|
weekmode=7
|
||||||
|
|
||||||
|
#for daily cron:
|
||||||
|
#weekmode=0
|
||||||
|
|
||||||
|
admins="system"
|
||||||
|
declare -r aged=21 # minimum days after expiration before admins are emailed, set to 0 for "always"
|
||||||
|
|
||||||
|
hostname=`hostname --fqdn`
|
||||||
|
|
||||||
|
# /etc/shadow is system dependent
|
||||||
|
shadowfile="/etc/shadow"
|
||||||
|
# fields in /etc/shadow
|
||||||
|
declare -r last=2
|
||||||
|
#declare -r may=3 # not used in this script
|
||||||
|
declare -r must=4
|
||||||
|
declare -r warn=5
|
||||||
|
#declare -r grace=6 # not used in this script
|
||||||
|
declare -r disable=7
|
||||||
|
|
||||||
|
declare -r doesntmust=99999
|
||||||
|
declare -r warndefault=7
|
||||||
|
|
||||||
|
passwdfile="/etc/passwd"
|
||||||
|
declare -r uidfield=3
|
||||||
|
declare -r unamefield=1
|
||||||
|
# UID range is system dependent
|
||||||
|
declare -r uidmin=1000
|
||||||
|
declare -r uidmax=65534 # exclusive
|
||||||
|
|
||||||
|
# remove the hardcoded path from these progs to use them via $PATH
|
||||||
|
# mailx is system dependent
|
||||||
|
notifyprog="/bin/mail"
|
||||||
|
grepprog="/bin/grep"
|
||||||
|
awkprog="/usr/bin/awk"
|
||||||
|
dateprog="/bin/date"
|
||||||
|
|
||||||
|
# comment out one of these
|
||||||
|
#useUTC=""
|
||||||
|
useUTC="-u"
|
||||||
|
|
||||||
|
# +%s is a GNUism - set it to blank and use dateformat if you have
|
||||||
|
# a system that uses something else like epochdays, for example
|
||||||
|
epochseconds="+%s"
|
||||||
|
dateformat="" # blank for GNU when epochseconds="+%s"
|
||||||
|
secondsperday=86400 # set this to 1 for no division
|
||||||
|
#secondsperday=1
|
||||||
|
|
||||||
|
today=$(($($dateprog $useUTC $epochseconds $dateformat)/$secondsperday))
|
||||||
|
echo "today: $today"
|
||||||
|
oIFS=$IFS
|
||||||
|
|
||||||
|
# ### END SETUP ###
|
||||||
|
|
||||||
|
# ### MAIL TEMPLATES ###
|
||||||
|
|
||||||
|
# use single quotes around templates, backslash escapes and substitutions
|
||||||
|
# will be evaluated upon output
|
||||||
|
usersubjecttemplate='Your password is expiring soon'
|
||||||
|
|
||||||
|
gentemplate_userbody () {
|
||||||
|
local days="$1"
|
||||||
|
userbodytemplate="Your password on $hostname expires in $days days."
|
||||||
|
}
|
||||||
|
|
||||||
|
adminsubjecttemplate='User Password Expired: $user@$hostname'
|
||||||
|
adminbodytemplate='The password for user $user on $hostname expired $age days ago.
|
||||||
|
|
||||||
|
Please contact this user about their inactive account and consider whether
|
||||||
|
the account should be disabled or deleted.'
|
||||||
|
|
||||||
|
# ### END MAIL TEMPLATES ###
|
||||||
|
|
||||||
|
# get real users
|
||||||
|
users=$($awkprog -F: -v uidfield=$uidfield \
|
||||||
|
-v unamefield=$unamefield \
|
||||||
|
-v uidmin=$uidmin \
|
||||||
|
-v uidmax=$uidmax \
|
||||||
|
-- '$uidfield>=uidmin && $uidfield<uidmax \
|
||||||
|
{print $unamefield}' $passwdfile)
|
||||||
|
|
||||||
|
for user in $users;
|
||||||
|
do
|
||||||
|
|
||||||
|
echo "user: $user"
|
||||||
|
|
||||||
|
IFS=":"
|
||||||
|
usershadow=$($grepprog ^$user $shadowfile)
|
||||||
|
echo "usershadow 1: $usershadow"
|
||||||
|
|
||||||
|
# make an array out of it
|
||||||
|
usershadow=($usershadow)
|
||||||
|
echo "usershadow 2: $usershadow"
|
||||||
|
|
||||||
|
IFS=$oIFS
|
||||||
|
|
||||||
|
mustchange=${usershadow[$must]}
|
||||||
|
echo "mustchange: $mustchange"
|
||||||
|
|
||||||
|
disabledate=${usershadow[$disable]:-$doesntmust}
|
||||||
|
echo "disabledate: $disabledate"
|
||||||
|
|
||||||
|
# skip users that aren't expiring or that are disabled
|
||||||
|
if [[ $mustchange -ge $doesntmust || $disabledate -le $today ]] ; then continue; fi;
|
||||||
|
|
||||||
|
lastchange=${usershadow[$last]}
|
||||||
|
echo "lastchange: $lastchange"
|
||||||
|
|
||||||
|
warndays=${usershadow[$warn]:-$warndefault}
|
||||||
|
echo "warndays: $warndays"
|
||||||
|
|
||||||
|
expdate=$(("$lastchange" + "$mustchange"))
|
||||||
|
echo "expdate: $expdate"
|
||||||
|
|
||||||
|
threshhold=$(($today + $warndays + $weekmode))
|
||||||
|
echo "threshhold: $treshhold"
|
||||||
|
|
||||||
|
if [[ $expdate -lt $threshhold ]];
|
||||||
|
|
||||||
|
gentemplate_userbody "$(($expdate - $today))"
|
||||||
|
|
||||||
|
then
|
||||||
|
if [[ $expdate -ge $today ]];
|
||||||
|
then
|
||||||
|
subject=$(eval "echo \"$usersubjecttemplate\"")
|
||||||
|
body=$(eval "echo \"$userbodytemplate\"")
|
||||||
|
echo -e "$body" | $notifyprog -s "$subject" $user
|
||||||
|
else
|
||||||
|
if [[ $age -ge $aged ]];
|
||||||
|
then
|
||||||
|
subject=$(eval "echo \"$adminsubjecttemplate\"")
|
||||||
|
body=$(eval "echo \"$adminbodytemplate\"")
|
||||||
|
echo -e "$body" | $notifyprog -s "$subject" $admins
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
done
|
Loading…
Reference in New Issue
Block a user