Topic: password expiration

[Bob Hemedinger]

The improvements in SME are incredible. It is so close to being able to allow me to replace several NT servers that I can taste it. The issue that is preventing me from replacing my NT PDC and BDCs is simply this: password expiration. Has anyone come up with a password aging mechanism that will alert the users that their passwords will expire in X days and allow them to change their passwords via NT's password change mechanism?

If we could alert users that their passwords will expire in X days, we could probably settle for using the existing user-management  webpage.

Also related to password management, can we maintain a history of the previous X passwords to further enhance security?

Thanks for any input, even if it's to say read the fine manual


Bob

[Filippo Carletti]

Unix has password expiration, see man chage.
Any volunteer for a manager panel ?

[Bob Hemedinger]

I think that you misunderstood my question. Unix password expiration is not an issue for me. The issue is communicating that expiration in advance to the samba users when SME is used in place of an NT PDC.

I have cooked up my own solution that works, but will need improvement over time. Using 'root preexec' in combination with a short shell script and the user-panel from Darrell May, I can notify users X days in advance of their password expiring and then have them go to a web page to maintain their password.

If this helps anyone else, here's the script:


#!/bin/bash
# This shell script is used to read the /etc/shadow file and extract
# the following information for a specific user:
#
#    date password last changed (number of days since 1/1/70)
#    number of days to warn of password expiration
#    date password will expire (number of days since 1/1/70)
#
# Since we are working in number of days since 1/1/70, we need to
# obtain todays date with the date command and convert it to the
# number of days since 1/1/70. Once we have this, we can do some
# simple math and determine if we need to warn the user that his/her
# password is going to expire soon.
#
# We are expecting to be passed 2 arguments: a user name and a machine
# name. Any more or any less, we want to exit immediately. We will look
# for the user's name in the shadow password file and then determine how
# close we are to his/her password expiring. If we are withing the number
# of days to warn the user, we will use the smbclient program to broadcast
# a message to that user.
#
# Bob Hemedinger (rhemedinger@yahoo.com) 2/26/2002

if [ $# -ne 2 ]
then
   echo "Usage: read_shadow username machine_name"
   exit 1
fi

grep ^$1 /etc/shadow >> /dev/null 2>&1

if [ $? -ne 0 ]
then
   echo "Username  $1 not found."
   exit 1
fi

#
# log the user's logon
#
echo date "User $1 logon from $2" >> /tmp/logons.txt

lastchange=grep ^$1 /etc/shadow | cut -d':' -f 3
warning=grep ^$1 /etc/shadow | cut -d':' -f 6
inactive=grep ^$1 /etc/shadow | cut -d':' -f 7
must_change=grep ^$1 /etc/shadow | cut -d':' -f 5

#   Get today's date and convert it to number of days
#   since 1/1/70.

today_seconds=date +%s
today_is=echo $today_seconds/86400 | bc -l | cut -d'.' -f 1
days_since_change=echo $today_is-$lastchange | bc -l | cut -d'.' -f 1
countdown=echo $must_change-$days_since_change | bc -l | cut -d'.' -f 1

if  [[ ${countdown} -le ${warning} ]]
then
   echo "You must change your password within $countdown day(s)!" | smbclient -M $2
fi

[CharlieBrady]

Also related to password management, can we maintain a history of the previous X passwords to further enhance security?

Is there any evidence that forcing people to change passwords enhances security? I remember hearing that the opposite is true (because people write their passwords down rather than remembering them).

Your best stategies for enhancing password security is encouraging users to choose good passwords, and to keep them secret.

I believe that you can have the password panel enforce good choice of passwords by doing:

/sbin/e-smith/config setprop passwordstrength User strong
/sbin/e-smith/config setprop passwordstrength Ibays strong
/sbin/e-smith/config setprop passwordstrength Admin strong

[Franco]

I think this is an excellent topic, and would love to see this function.
-Bob: On your script how do you tell the users the page to go? [http://SME/user-password]
As far as I can see the script only "tells" the user to update their password, right? It does not force them to do, am I correct?
How exactly do you implement it? Where to put it? Chmod, etc?!
How about change pass on the next logon, similar to an AD/NT logon?

Charlie: I agree with you on users writing down, but we need to educate them better. I also think that using the same password for a long time isn't secure.

Thanks guys

[israels2]

hi,

why limit it only to password expiration?

what about user account expiration (which is  supported under unix), limit usage to certain workstations and so on

[wallyrp]

Good Morning,

Great topic and one that I've been interested in a long time. Regarding notifying the user and telling them where to go to change it, couldn't you put something in this that would integrate and/or be a part of the netlogon.pl (or whatever file it is that netlogon.bat originates from) file? If this could be done, then scripting a start command in the netlogon.bat file would be easy. Something like start iexplore autodirect.htm << this would automatically load something like http://youserver/user-password within so many seconds. You could also do other things with the autodirect.htm file so that it would dictate something about your password policy and/or the user's choices regarding the strength of the password.

I'm looking for something like this so I can implement it next year at the school I work at. Will be watching this thread fer idea'rs. < redneck lingo.

!! Watch Nashville Star on USA Networks Tuesday evenings 9PM CST USA - Vote for Jason Meadows - he's a fellow Okie!! Yeehaw!!

[rcdata]

Hi Bob ,
i like the script but where do you make start it?
When the customer makes the logon, endured after start netlogon.bat, this script is for windows-world for map the disks and other. Your script is for os linux, how can start in netlogon.bat??.
Thank for the help.

[thedude]

I've always wondered about the changing of passwords. I agree with the post about people writing down passwords when they change a lot. I've seen the lists attached to monitors. To me that is worse than keeping the same password.

I think the bigger concerns are the day to day stupid things that users do (Using IE, clicking on attachments, downloading spyware, etc.). I've yet to see a great save on a windows computer because the password got changed every month.

[albatroz]

How does it work in an scenario where SME is used only as an email server rather than an NT PDC/Samba server