Where I work, we have a whole bunch of people that share a couple of service accounts that need to be used occasionally. I don't like that for security reasons, but it is unavoidable right now. The problem I keep having is that hey consistently lock the account because they cannot remember the password, but then don't tell anyone. Later on someone who does know the password needs to get in, but cannot. They just need the failed logon count reset, and the account unlocked. I am lazy. I don't like having to open smitty, and go through all the keystrokes to reset these things. I also don't like remembering and typing the long commands to do this at the command line. Here is my solution.
#!/usr/bin/perl =pod =head1 NAME resetuserlogon.pl =head1 SYNOPSIS perl resetuserlogon.pl <servername> <username> =head1 DESCRIPTION This script will check and then reset the invalid logon count and unlo +ck the users account. =head1 AUTHOR TechFly Version: 1.0 Date: 2-9-2011 =cut use warnings; use strict; use IO::Prompt; use Net::SSH::Expect; #Variable declarations if (@ARGV != 2) { print ("\nUseage: resetuserlogon.pl <servername> <username>\n"); print ("Please review your arguments.\n\n"); exit 1; } my $servername = $ARGV[0]; my $username = $ARGV[1]; #IO::Prompt uses ARGV to assign the input. You have to clear ARGV bef +ore you can use IO::Prompt. pop @ARGV; pop @ARGV; my $password = prompt "Please enter the root password for $servername: + ", -e => '*'; my $ssh = Net::SSH::Expect->new ( host=> $servername, password=> $password, user=> 'root', raw_pty=> 1 ); my $sshlogin = $ssh->login(); print("\nUnlocking user account: $username\n"); print("On server: $servername\n\n"); my $listsec = $ssh->exec("lssec -f /etc/security/lastlog -a \"unsucces +sful_login_count\" -s $username"); my $accountlocked = $ssh->exec("lsuser -a account_locked $username"); my @listsecsuccede = split(/=|\n/, $listsec); chomp($listsecsuccede[1]); if ($listsecsuccede[1] != 0) { print("The account has $listsecsuccede[1] unsuccessful logon attem +pts.\n"); if ($ssh->exec("chsec -f /etc/security/lastlog -a \"unsuccessful_l +ogin_count=0\" -s $username")) { print(" The unsuccessful logon count was reset.\n") } else { print("The unsuccessfull logon count was NOT reset\n"); } } else { print("The account $username does not have any unsuccessful logon +attempts.\n"); } my @listaccountlocked = split(/=|\n/, $accountlocked); if ($listaccountlocked[1] =~ /^true$/i) { print("The account is currently locked.\n"); $ssh->exec("chuser account_locked='false' $username"); if ($ssh->exec("lsuser -a account_locked $username")){ print(" The account was successfully unlocked.\n"); } else { print("The account was NOT successfully unlocked.\n"); } } else { print("The account $username is not locked.\n"); } print("\n\n"); $ssh->close();
A little code, and I don't have to do all the work of resetting these accounts any more. I don't see a lot of sysadmin type code out here, but that is about all you will see from me.
I am always receptive to a better way to do things, if anyone has suggestions. Thanks to wind, kennethk, roboticus, and hbm for suggestions while I was writing this, and for reminding me that I can indeed use at least a small amount of regex in my code. On a side note, I ordered the O'Reillys regex book after they pointed that out.
cheers
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: AIX reset users
by Limbic~Region (Chancellor) on Feb 11, 2011 at 16:30 UTC | |
by TechFly (Scribe) on Feb 11, 2011 at 17:39 UTC | |
by ambrus (Abbot) on Feb 12, 2011 at 14:49 UTC | |
by Limbic~Region (Chancellor) on Feb 12, 2011 at 21:43 UTC |