For decades, periodic password changes have been a staple of system security. The idea is that if someone gets your password, they can gain access for a limited period of time. It's usually easiest to have the system prompt them rather than relying on users to remember to change their passwords. However, regular user accounts may be set with passwords that never expire and therefore never prompt users to change them.
The Bash script in this article lists all those regular user accounts on your system whose password is set to never expire. By regular users, I mean accounts that usually have interactive shell access and a /home
directory.
[ Learn more about Forcing Linux system password changes with the chage command. ]
For this example, you can use the following /etc/passwd
file with the regular users Alice, Bob, and Charlie:
[root@f3f6383512d0 /]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
alice:x:1000:1000::/home/alice:/bin/bash
bob:x:1001:1001::/home/bob:/bin/bash
charlie:x:1002:1002::/home/charlie:/bin/bash
As you can see, these regular users have a home directory in /home
. Before kicking off the Bash script, check the three user accounts using chage
(1):
[root@f3f6383512d0 /]# for USER in alice bob charlie; do echo $USER; chage -l $USER; done
alice
Last password change : Aug 04, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
bob
Last password change : Aug 04, 2021
Password expires : Nov 02, 2021
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
charlie
Last password change : Aug 04, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Only Bob's password is going to expire at some point in time. The passwords of Alice and Charlie never will. But how do you display all user accounts whose passwords will never expire without having to check each individual account? As mentioned earlier, all of your regular user accounts have a home directory in /home
. You can use this fact to filter them from /etc/passwd
. Let's take a look at the Bash script:
#!/bin/bash
for USER in $(grep home /etc/passwd | cut -d':' -f1)
do
if [ "$(chage -l $USER | grep 'Password expires' | cut -d':' -f2)" == ' never' ]
then
echo $USER
fi
done
The file /etc/passwd
consists of several columns separated by :
, with the first column of each line containing the username. For each line containing the string home, the script extracts the username and stores it in the variable USER. This finds all regular user accounts. Next, it runs the command chage
on these user accounts, and if the attribute Password expires is set to never, the username is output to STDOUT.
That wasn't too hard, was it? And in case you need to do this on an interactive shell, you don't need to write a script at all but could use a Bash one-liner instead:
[root@f3f6383512d0 /]# for USER in $(grep home /etc/passwd | cut -d':' -f1);do if [ "$(chage -l $USER | grep 'Password expires' | cut -d':' -f2)" == ' never' ]; then echo $USER;fi;done
alice
charlie
[root@f3f6383512d0 /]#
And that's the beauty of Bash.
Wrapping up
Passwords that don't expire may be considered a security flaw and violate your organization's security policies. It's straightforward to audit for password settings using a Bash script like the one in this article, which outputs a list of regular user accounts whose passwords will never expire. This Bash script utilizes some of the most common GNU tools, such as chage
(1), cut
(1), echo
(1), and grep
(1).
The Bash script uses typical constructs like a for
loop and the if-then
condition to get the job done. It's a powerful tool that every sysadmin should know.
Sobre o autor
Jörg has been a Sysadmin for over ten years now. His fields of operation include Virtualization (VMware), Linux System Administration and Automation (RHEL), Firewalling (Forcepoint), and Loadbalancing (F5). He is a member of the Red Hat Accelerators Community and author of his personal blog at https://www.my-it-brain.de.
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit