Sorry for the delay in getting this summary out - I've been trying to make
one of the suggested solutions work with mixed success):
Original post:
Has anyone scripted user management on Tru64? I have a need for a script
that will allow authorized users to
unlock accounts or change passwords when the Help Desk is not available
Many thanks to all who responded:
Several people suggested sudo, which I do have and use, but I need to
fine-tune the process for specific tasks:
Patrick Norris
John Jeffrey Venier
Wayne Blom
Karen R. McArthur
Do you have C2 security installed? Here is the perl script we use:
----- Cut Here -----
#!/usr/local/bin/perl
# setPassword - Allows Jane (or anyone with sudo privs) to be able
# to set a user's password to anything they want! Such
# power!
#
# Syntax is setPassword user password
# where you should replace the word user with the userid,
# and the word password with the user's new password.
#
# Currently, there is no way to hide the new password. If this
# is necessary, it might be suggested as a future feature.
# Reset the random number generator, and create some salt for the crypt
# subroutine
die "Must be run as root!\n" if($> ne 0);
$now = time();
srand($now ^ ($$ + ($$ << 15)));
$salt = chr(int(rand 56) + 65);
substr($salt, 1, 1) = chr(int(rand 56) + 65);
$lastUpdate = ":u_succhg#" . $now . ":";
($user,$password) = _at_ARGV;
if($user eq "")
{
print "Username: ";
chop($user = <STDIN>);
}
if($password eq "")
{
system "stty -echo";
print "New password for $user: ";
chop($password = <STDIN>);
print "\n";
system "stty echo";
if($password eq "")
{
$password = "passwd";
$lastUpdate = ":u_succhg#0:";
}
}
$crypt = crypt($password, $salt);
open(GETAUTH, "/usr/tcb/bin/edauth -g $user|") || die "Can't run edauth";
open(SETAUTH, "|/usr/tcb/bin/edauth -s") || die "Can't set with edauth";
while($_ = <GETAUTH>)
{
$myString .= $_;
}
($_ = $myString) =~ tr/:\\\n\t/:/sd;
if(/u_pwd=/) {s/:u_pwd=([^:]+):/:u_pwd=$crypt:/;}
if(/u_succhg#/) {s/:u_succhg#(\d+):/$lastUpdate/;}
if(/u_numunsuclog#\d+/) {s/:u_numunsuclog#\d+:/:/;}
print SETAUTH "$_\n";
close(GETAUTH);
close(SETAUTH);
----- Cut Here -----
Elizabeth Harvey-Forsythe
I have written that sort of thing as CGI scripts in perl. We can restrict
who can use the scripts using the web server's (Apache's) authentication
modules. We use yp, the lowest common denominator we have for Digital UNIX,
Tru64, Solaris, HP-UX, Linux, IRIX and odd AIX machines. My scripts
directly modify on the /var/yp/src/passwd and group files, so they aren't
really if you are using shadow passwords or C2, but the idea is sound
whatever your method, and it allows you to do some sys admin from virtually
any web browser.
Note: Unfortunately, I don't use NIS.
Marie-Francoise Devillers-Thiry
I send you my scripts to manage users in C2-security.
--------------------------------------------
chpw user "newencrpw" : remark, we use here an encrypted PW which is
supplied
by another tool. You may encrypt the pw in a small c-program using the
crypt system call
--------------------------------------------
# This scripts 'chpw' is used to enter a new encrypted pw in
# in c2-security auth.db database
# Synopsis: chpw user encrypted_pw
#
# Author MF Devillers , March 99.
#
USER=$1
ENCR_PW=$2
usage()
{
echo "Usage:chpw user encrypted_pw"
echo encrypted_pw enclosed in double quotes
exit 1
}
if [ "`whoami`" != "root" ] ; then
echo "Have to be root to run procedure."
echo "Exiting."
exit 1
fi
if [ $# != 2 ]
then
usage
fi
# Verify that user exist in passwd and auth.db beforehand
#
PASSWD_ENTRY=` grep "^${USER}:" /etc/passwd`
if [ "_$PASSWD_ENTRY" = "_" ]
then
echo " No entry found in /etc/passwd for $USER-exiting"
exit 1
fi
/usr/tcb/bin/edauth -gq -dp $USER > /dev/null 2> /dev/null
if [ $? -ne 0 ]
then
echo " No entry found in auth.db database for $USER-exiting"
exit 1
fi
#
# Verify validity of encrypted pw (13 characters)
#
if [ "${ENCR_PW}" != '*' ]
then
len_pw=`expr ""$ENCR_PW"" : ".*"`
if [ $len_pw -ne 13 ]
then
echo Encrypted pw should be 13 characters long
exit 1
fi
else
echo Pw requested is '*'
fi
#
#Change pw in /var/tcb/files/auth.db
#
/usr/tcb/bin/edauth -g -dp $USER | \
sed "s(:u_pwd=[^:]*:(:u_pwd=${ENCR_PW}:(" |\
/usr/tcb/bin/edauth -s -dp
echo Encrypted pw set to "${ENCR_PW}" on `hostname -s`
-------------------------------------------------------------
unlock_user
------------------------------------------------------
#! /bin/sh
# This scripts 'unlock_user' is used to unlock a locked account
# because of number of successive failed logins is greater
# than u_maxtries (in /etc/auth/system/default)
# see field u_numunsuclog in output of 'edauth -g USER'
# Author MF Devillers , December 99.
#
USER=$1
usage()
{
echo "Usage:unlock_user user "
exit 1
}
if [ "`whoami`" != "root" ] ; then
echo "Have to be root to run procedure."
echo "Exiting."
exit 1
fi
if [ $# != 1 ]
then
usage
fi
#
# Verify that user exist in passwd and auth.db beforehand
#
PASSWD_ENTRY=` grep "^${USER}:" /etc/passwd`
if [ "_$PASSWD_ENTRY" = "_" ]
then
echo " No entry found in /etc/passwd for $USER-exiting"
exit 1
fi
/usr/tcb/bin/edauth -gq -dp $USER > /dev/null 2> /dev/null
if [ $? -ne 0 ]
then
echo " No entry found in auth.db database for $USER-exiting"
exit 1
fi
#
#Change field u_numunsuclog in /var/tcb/files/auth.db
#
/usr/tcb/bin/edauth -g -dp $USER | \
sed "s(:u_numunsuclog#[^:]*:(:u_numunsuclog#0:(" |\
/usr/tcb/bin/edauth -s -dp
echo user $USER unlocked on `hostname -s`
----------------------------------------------------
detect_locked
------------------------------------------
#! /bin/sh
# detect_locked
# detect users with numunsuclog>0 (Nb failed login attempts)
# pinpoint users really LOCKED
# Author M.F. Devillers-Thiry - December 99.
echo "USERNAME SUCCESSIVE_FAILED_LOGINS"
/usr/tcb/bin/edauth -g | while read line
do
L=` echo $line | grep u_numunsuclog `
if [ "X$L" != "X" ]
then
echo $line | awk -F: '\
{ un=$1 ;
for (i=1; i<=NF; i++) {if (substr($i,1,13) =="u_numunsuclog")
{ n=split($i,nfailed,"#"); nf=nfailed[2]}
}}
END {if (nf>0) printf ("%-8.8s %d",un,nf); print (
nf>20?">20=LOCKED":"
")} '
fi
done
----------------------------------------------------------
Bobby Acha
I wrote a C program that allows operators to unlock accounts that have had
lifetime expired passwords, but not accounts that I have personally locked.
Its nothing really fancy but it works. With some minor fiddling I am sure
you can make it do what you need it to do.
When you compile it pass it the options
-lsecurity -ldb -laud -lm
the man page for 'getespwent' will explain the flags. also the various
fields that can be changed are also there. this will
only work if you have enhanced security installed, since it is a military
installation I assume everything uses C_at_ security.
<<lifetime.c>>
Joan Riggs
Raytheon RSE / KLS
Information Technology
805.355.9877 [ +12 GMT ]
joan.riggs_at_kls.usaka.smdc.army.mil
Received on Fri Jan 19 2001 - 03:43:51 NZDT