The password enforcement policy is common to all operating systems and applications.
If you want to implement a password enforcement policy on Linux, go to the following article.
The password enforcement policy will be enforced by most companies by default, but the time period will be different depending on the company’s requirements.
Usually everyone uses a 90-days password cycle.
The user will only change the password on some of the servers they use, and they won’t change the password on the servers they don’t use often.
In particular, most team forget to change the service account password, which can lead to breaking regular jobs even if they are configured to work with SSH key-based authentication.
SSH key-based authentication and cronjobs will not work if the user account password expires.
To avoid this situation, we have created a shell script that sends you a list of user accounts that expire within 10 days.
There are two bash scripts included in this tutorial that will help you collect information about user expiration days on your system.
1) Bash Script to Check List of User Accounts Expiring in 10 Days
This script will help you to check the list of user accounts that expire in 10 days on your terminal.
# vi /opt/script/user-password-expiry.sh #!/bin/sh /tmp/user-expiry-1.txt /tmp/user-expiry.txt echo "-------------------------------------------------" echo "UserName The number of days the password expires" echo "-------------------------------------------------" for usern in u1 u2 u3 u4 do today=$(date +%s) userexpdate=$(chage -l $usern | grep 'Password expires' |cut -d: -f2) passexp=$(date -d "$userexpdate" "+%s") exp=`expr \( $passexp - $today \)` expday=`expr \( $exp / 86400 \)` echo "$usern $expday" >> /tmp/user-expiry.txt done cat /tmp/user-expiry.txt | awk '$2 <= 10' > /tmp/user-expiry-1.txt cat /tmp/user-expiry-1.txt | column -t
Set an executable Linux file permission to “user-password-expiry.sh” file.
# chmod +x /opt/script/user-password-expiry.sh
You will get an output like the one below. But the username and days may be different
# sh /opt/script/user-password-expiry.sh ------------------------------------------------- UserName The number of days the password expires ------------------------------------------------- u1 -25 u2 9 u3 3 u4 5
2) Bash Script to Send eMail With a List of User Accounts Expiring in 10 Days
This script will send a mail with a list of user accounts expiring in 10 days.
# vi /opt/script/user-password-expiry-mail.sh #!/bin/sh SUBJECT="Information About User Password Expiration on "`date`"" MESSAGE="/tmp/user-expiry.txt" MESSAGE1="/tmp/user-expiry-1.txt" TO="[email protected]" echo "-------------------------------------------------" >> $MESSAGE1 echo "UserName The number of days the password expires" >> $MESSAGE1 echo "-------------------------------------------------" >> $MESSAGE1 for usern in u1 u2 u3 u4 do today=$(date +%s) userexpdate=$(chage -l $usern | grep 'Password expires' |cut -d: -f2) passexp=$(date -d "$userexpdate" "+%s") exp=`expr \( $passexp - $today \)` expday=`expr \( $exp / 86400 \)` echo "$usern $expday" >> $MESSAGE done cat $MESSAGE | awk '$2 <= 10' >> $MESSAGE1 mail -s "$SUBJECT" "$TO" < $MESSAGE1 rm $MESSAGE rm $MESSAGE1
Set an executable Linux file permission to “user-password-expiry-mail.sh” file.
# chmod +x /opt/script/user-password-expiry-mail.sh
Finally add a cronjob to automate this. It runs once in a day at 8AM.
# crontab -e 0 8 * * * /bin/bash /opt/script/user-password-expiry-mail.sh
You will receive a mail similar to the first shell script output.