Find users with unchanged passwords?

Question

I recently added a bunch of users and gave them randomly generated passwords. We've since instructed them to change their passwords, but we suspect that a large number of them have not.

How can we expire the passwords of everyone who hasn't changed their password yet?

We're on Ubuntu 9.04 server using normal /etc/passwd authentication.

Kyle Brandt · Accepted Answer · 2009-10-09T13:50:43.733

4

You can use the chage command to see the last time they changed their password, for example:

sudo chage -l kbrandt

You can mix that with a loop and awk of the /etc/passwd file, might be a better way though. Maybe something like:

while read line; do 
    date_change=$(echo $line | awk -F: '{print $3}')
    user=$(echo $line | awk -F: '{print $1}')
    #Say you set them on 14120 days since Jan 1, 1970
    if [[ $date_change -eq 14120 ]]; then
        #chage command to set warning and password expiration for $user
    fi
done < /etc/shadow

edited Oct 09 '09 at 13:50

answered Oct 09 '09 at 13:29

Kyle Brandt

83,619
74
305
448

Of course, echo in the if first, you don't want to mess up system accounts... – Kyle Brandt Oct 09 '09 at 13:42
See Dennis' answer for a snippet that doesn't use awk, but uses shell arrays instead. – Kyle Brandt Oct 13 '09 at 14:09

score 2 · Answer 2 · answered Oct 10 '09 at 01:42

To expire the password set the expiration date to a date in the past:

chage -E 0 username    # 0 is January 1, 1970; 14496 is 9/9/9

To remove the expiration use -1:

chage -E -1 username

Combine these with Kyle's script.

However, you can get your user and date_change using only one call to awk:

# Bash
read user date_change <<< $(echo $line | awk -F: '{print $1, $3}')

or

# Bash
read user date_change < <(echo $line | awk -F: '{print $1, $3}')

or

# Bourne
read user date_change <<EOF
`echo $line | awk -F: '{print $1, $3}'`
EOF

However, awk is unnecessary:

while IFS=: read -a line
do 
    date_change=${line[2]}
    user=${line[0]}
    # Have they changed their password since I told them to on Jul 1?
    if [[ $date_change <= 14426 ]]; then
        # Expire their password, that'll get their attention
        chage -E 0 $user
    fi
done < /etc/shadow

Sven · Answer 3 · 2009-10-09T13:43:34.310

1

The date the password was last changed is listed in /etc/shadow in the third field (coded as days since 1970/01/01).

You could then use the chage utiliy to enforce a password change after n days since the last change. But beware that this setting is persistent, it will expire the password every n days, so if you don't want that you will have to reset this in a second run, after the first change.

I really would like an option to enforce a password change upon first login, like MacOS and Windows offers.

edited Oct 09 '09 at 13:43

answered Oct 09 '09 at 13:29

Sven

98,649
14
180
226

3rd field I think... – Kyle Brandt Oct 09 '09 at 13:33
Yep, you are right, first one is username, not the password. – Sven Oct 09 '09 at 13:44

Find users with unchanged passwords?

3 Answers3