Linux – dump/output/list Linux password expiry info for all users

linuxpassword

Context

So I set up a new Debian server and added some users for web space etc, the usual affair.

Skip forward 180 days and users start complaining their logins are not working. Given more than one person brought it up, I checked the auth logs and… BOOM. Failed logins due to password expiry. Dang!

Silly me had not considered the password expiry policy on this particular server.

Note, these users didn't have shell rights, but can login via sftp to manage their web space. So they wouldn't of been reminded about expiry or had the ability to change the password, even if they knew. From what I can tell, the error was only being logged server side. Client side it was a generic auth error.

Question

How can I easily interrogate the server to get the password expiry info for all users?

Once I have that info, I can easily see which users are being effected and those which will be affected in the future.

Best Answer

A command like this should show you the expiration status for all accounts defined in your /etc/passwd.

cut -f 1 -d: /etc/passwd | xargs -n 1 -I {} bash -c " echo -e '\n{}' ; chage -l {}"

The important command is the chage -l username. That is the command that returns the expiration status for a user. Chage is also the command you would use to modify expiration rules. You may need to add sudo before chage depending on your system setup.

Related Solutions

Method to change passwords with Mac OS X Server

Edit based on comment thread:

You could push a script to everyone with Apple Remote Desktop that attempts to mount a sharepoint. Or, as you said above, Apple does provide a password changing website, but again, that would require emailing everyone and telling them to go to the website, which many might ignore.

How to set up an OD user who doesn't have a network home folder:

Create the user in Workgroup Manager.
Click on "Home" in the segmented control bar at the top.
Click the plus button, leave the first two fields blank, and type /Users/username, where you would replace username with the short name of the user. At this point, you'd want to make sure that the user you're setting up doesn't already have a local account with the same name.
Click Okay, then make sure that the entry you created is selected. It should have a harddrive icon and be listed as /Users. Click "create home now", then click save.

That's it! If you don't specify that the user should get a local folder and leave it as no home folder, you'll actually be unable to log in at all. Now you have all of the management you'd get with having a bound Machine and a network account, without the extra storage overhead (and possible long login times).

Old answer: I don't want to seem condescending but you really need to learn more before you jump into this. The Lynda training series videos for snow leopard server are great, or grab a book from the bookstore. Snow Leopard Server is very picky. Everything needs to be set up properly and in a very specific order. The best advice I can give you is to start fresh - open up a book or start the video and start from the beginning. Set up DNS exactly how they say, then wipe and reinstall OS X server (remember to run software update!) and go from there with a fresh start. I myself had to do that several times on a test server before I got the process down right.

Linux – how to disable SSH login with password for some users

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)