Thanks to all who responded. Here's what I received.
From: Denise Dumas <dumas_at_zk3.dec.com>
Hi,
u_lock denotes only the "administratively locked" accounts. Accounts
"disabled" for other reasons require more checks - see the locked_out_es
manpage for a list of the (many) conditions that cause an account to be
disabled.
(Note that the easy way to "un-disable" an account is to give it a grace
limit (u_grace_limit), which allows the user a time window in which to
log
in successfully, which effectively clears many disabling conditions. In
V5.1, dxaccounts will display a new icon denoting disabled accounts and
let
you clear them).
Denise Dumas
Tru64 Security
From: Frank Wortner <frank_at_bondnet.com>
I use the user management tools by Randy Hayman of the University of
Alaska.
They are command line utilities that allow you to build scripts, perl
programs, or whatever to manage users under DEC C2.
For example: to list all locked users:
/usr/local/sbin/user_list -l
You can get these tools from:
ftp://ftp.alaska.edu/pub/randy/zuausr/
Hope this helps!
Frank
From: "Davis, Alan" <Davis_at_tessco.com>
Take a look at the zuausr tools :
http://www.digital.com/info/misc/pub-domain-osf1.txt.html
From: Ann Majeske USG <majeske_at_zk3.dec.com>
If you look at the man page for prpasswd, you will see that there
are lots of different ways an account can be disabled or locked.
I'm not sure which of these cause the lock symbol to appear in
dxaccounts.
Since most of the causes of a disabled or locked account are
found by checking an interaction of two or more of the u_ fields,
checking for all locked accounts can get complicated. Also,
some of the fields might be in the default database rather
than the user's protected password database entry, so it can
get even more complicated.
Some of the fields involved are:
u_lock
u_life
u_succng
u_numunsuclog
u_maxtries
u_unlock
u_unsuclog
u_retired
u_expdate
An example of one cause of a disabled account:
You can tell if the password lifetime has expired by
checking if the current time is greater than
u_life + u_succhg
Checking to see if a user's account is currently disabled due
to too many unsuccessful login attempts is probably the most
complicated, since the account is only temporarily disabled.
This is done so that automatic breakin attempts are thwarted,
but the user can log in the next day, for example.
The check goes something like this (I'm not looking at the
code, so this might not be exact):
if ((u_maxtries NOT EQUAL 0) AND
(u_numunsuclog GREATER THAN OR EQUAL u_maxtries) AND
(current time LESS THAN (u_unsuclog PLUS u_unlock))
then login refused
I think there are people out there who have written scripts
to check this stuff, but I can't think of any pointers offhand.
From: Nikola Milutinovic <Nikola.Milutinovic_at_ev.co.yu>
There are two ways an account can get locked, "admin lock" and
"bad-login lock".
The first manifests through "u_lock" filed *without* "_at_". IOW, "u_lock_at_"
means "explicitly unlocked".
The second is in "u_numunsuclog#<NUMBER>", if <NUMBER> is greater than
users u_maxtries (or, if it is not set, system wide u_maxtries), then it
is locked.
From: "Alam, Sim" <Sim.Alam_at_Central.tased.edu.au>
Have the other accounts expired? You might need to alter that script so
that
it checks the last successful changed password time against the current
time
and compare the difference to the overall default expiry time. Expired
accounts won't be administratively locked.
My original posting:
We are running Unix 4.0E pk2 with C2 security and I would like to create
a file containing the account names for all accounts which show the lock
symbol beside them in the dxaccounts GUI. I've tried using the following
command in a "for" loop which is reading in a prebuilt list of *all*
account names on the system but the resulting output only seems to
include *some*, not all, of the locked accounts.
/usr/tcb/bin/edauth -g juser | grep u_lock
Is there a better way to do this?
TIA
Received on Mon Jul 24 2000 - 15:35:31 NZST