0

I'm trying to figure out how to determine when user accounts on an HP-UX server will be locked. I would need this for every user on the server.

On other kinds of UNIX, this kind of this is typically found in the /etc/shadow file as the 8th field in each row (# of days since the 1/1/1970 when the account will be disabled).

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59
Jon Kruger
  • 241
  • 2
  • 4
  • 9

2 Answers2

1

From what I've been reading, this will do it:

/usr/lbin/getprpw -r -m acctexp <username>

http://www.hpuxtips.es/?q=node/157

http://fixunix.com/security/74478-scripts-needed-trusted-hp-ux-system.html

Jon Kruger
  • 241
  • 2
  • 4
  • 9
0

It is the same on HP-UX, the 8th field in /etc/shadow tells you:

(from man shadow on HP-UX 11.31)

expiration     The absolute number of days since Jan 1, 1970
               after which the account is no longer valid.  A
               value of zero in this field indicates that the
               account is locked.

Also, it should be noted that if an account is locked due to too many authentication attemps, you won't see that in /etc/shadow. You can find out the failed logins count of an account with

userdbget -u username auth_failures

and test if it is >= than the value of AUTH_MAXTRIES defined in /etc/default/security.

skinp
  • 749
  • 1
  • 7
  • 19
  • It looks like in some cases, the /etc/shadow file won't be there: http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1298402971526+28353475&threadId=1237808 – Jon Kruger Feb 22 '11 at 19:30
  • If you are on a trusted system, it is not there and replaced (never used it so I don't really know). If not, I strongly suggest, for security reasons, you convert your /etc/passwd with the command pwconv which will create the /etc/shadow file. – skinp Feb 22 '11 at 19:48