强制密码到期多用户一次

发布于 01-18 01:40 字数 301 浏览 6 评论 0原文

如何查询盒子上的所有用户并强制密码到期?

目前,我正在查询所有用户:

getent shadow | awk -F: '$2 ~ /^\$/ || $2 ~ /^!\$/ {print $1} {print $3}'

这使我获得了用户名以及最后的密码更改,但是我只需要强制passwd -e ,因为那些没有更改密码的用户2022年3月1日之前 - 任何在2022年3月1日之后更改密码的人,我可以独自一人(我相信这是19052年的价值) - 因此,任何大于或等于我可以跳过的值)。

How can I query all users on a box and force password expiration?

Currently, I am querying all users:

getent shadow | awk -F: '$2 ~ /^\$/ || $2 ~ /^!\$/ {print $1} {print $3}'

And this gets me the user name as well as the last password change, but I only need to force the passwd -e on users who haven't changed their password since before March 1, 2022 - anyone who has changed their password after March 1, 2022 I can leave those alone (I believe this would be a value of 19052 - so any value greater than or equal to that I can skip).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

请爱~陌生人2025-01-25 01:40:52

我这样做了:

cut -d: -f1 /etc/passwd | { while IFS= read -r n; do echo -n "$n "; chage -li "$n" | awk 'NR==1{print $NF}'; done; echo CUTME 2022-03-01; } | sort -k2 | awk 'f{print} /CUTME/{f=1}'

如果你愿意的话,你可以xargs passwd -e

I did this:

cut -d: -f1 /etc/passwd | { while IFS= read -r n; do echo -n "$n "; chage -li "$n" | awk 'NR==1{print $NF}'; done; echo CUTME 2022-03-01; } | sort -k2 | awk 'f{print} /CUTME/{f=1}'

You can then xargs passwd -e if you want.

梦忆晨望2025-01-25 01:40:52

我喜欢@KamilCuk 采取的方法。除此之外,我将在解析 /etc/passwd 时添加最小 UID 和最大 UID 以排除系统帐户。 (注意:某些发行版以不同的值启动第一个非系统 UID,通常是 5001000 - 请检查您的发行版)。最大 UID 可以排除位于范围顶部的通用用户帐户,例如 openSUSE 上的 nobody 帐户,其 UID == 65534

来确定是否要使密码更改早于 2022 年 3 月 1 日的帐户过期,可以很容易地将该日期和 chage 返回的日期转换为 Second-Since-Epoch。这样,您可以使用简单的比较来判断上次密码更改是否小于自 2022 年 3 月 1 日纪元以来的秒数——使帐户过期。

您可以采用以下一种方法将它们组合在一起。 xargs 是构建列表而不是逐个过期帐户的另一种选择。下面注释掉了实际的到期时间,而是将要运行的命令打印到 stdout,以允许在帐户实际到期之前进行测试。

#!/bin/bash

## validate script is run with root privilege
[ $UID != 0 ] && [ $EUID != 0 ] && {
  printf "error: script must be run as root, UID '%s' can't,\n" "$UID" >&2
  exit 1
} 

minUID=1000     ## first non-system UID
maxUID=65534    ## nobody

march1epoch=$(date -d "2022-03-01" +%s)   ## seconds since epoch

## pipe non-system users to while loop to check aging with chage
awk -v minU="$minUID" -v maxU="$maxUID" -F: '
  $3 >= minU && $3 < maxU { print $1 }
' /etc/passwd | 
{
## read each user name, get age since last pw change
while read -r usrnm; do 
  age=$(date -d "$(chage -l "$usrnm" | 
        awk -F: 'FNR==1 {print $NF; exit}')" +%s)
  ## compare with march1epoch, expire all that are older
  [ "$age" -lt "$march1epoch" ] && echo "passwd -e \"$usrnm\""
  ### uncomment line below to actually expire account
  # [ "$age" -lt "$march1epoch" ] && passwd -e "$usrnm"
done
}

注意:您可以使用进程替换在 bash 中为 while 循环提供数据,而不是通过管道将结果传递给它 - 这取决于您。如果如果你被 POSIX shell 困住了,那么管道在这两种情况下都可以工作)

如果满意,取消循环中最后一行的注释,并可以选择删除仅输出将要运行的命令的行。

I like the approach @KamilCuk took. To add to that I would include a minimum UID and maximum UID on parsing /etc/passwd to exclude system accounts. (note: some distributions start the first non-system UID at differing values, usually either 500 or 1000 -- check your distro). The maximum UID can exclude generic user accounts placed at the top of the range like the nobody account on openSUSE with UID == 65534

To determine whether to expire an account with a password change older that March 1, 2022, it is fairly easy to convert that date and the date returned by chage to seconds-since-Epoch. That way you can use a simple comparison of if the last password change is less than the number of seconds since Epoch for March 1, 2022 -- expire the account.

Below is one approach you can take to put it all together. xargs is another option to build the list instead of expiring accounts one-by-one. The actual expiration is commented out below and instead the command that would be run is printed to stdout to allow testing before actual expiration of accounts.

#!/bin/bash

## validate script is run with root privilege
[ $UID != 0 ] && [ $EUID != 0 ] && {
  printf "error: script must be run as root, UID '%s' can't,\n" "$UID" >&2
  exit 1
} 

minUID=1000     ## first non-system UID
maxUID=65534    ## nobody

march1epoch=$(date -d "2022-03-01" +%s)   ## seconds since epoch

## pipe non-system users to while loop to check aging with chage
awk -v minU="$minUID" -v maxU="$maxUID" -F: '
  $3 >= minU && $3 < maxU { print $1 }
' /etc/passwd | 
{
## read each user name, get age since last pw change
while read -r usrnm; do 
  age=$(date -d "$(chage -l "$usrnm" | 
        awk -F: 'FNR==1 {print $NF; exit}')" +%s)
  ## compare with march1epoch, expire all that are older
  [ "$age" -lt "$march1epoch" ] && echo "passwd -e \"$usrnm\""
  ### uncomment line below to actually expire account
  # [ "$age" -lt "$march1epoch" ] && passwd -e "$usrnm"
done
}

(note: you can use Process Substitution to feed the while loop in bash rather than piping the results to it -- up to you. If you are stuck with POSIX shell, then piping will work in both instances)

When satisfied, uncomment the final line in the loop, and optionally remove the line that simply outputs the command that would be run.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文