topic Re: passwd in Operating System - HP-UX

passwd

Constantine_1 — Wed, 03 Sep 2003 18:02:53 GMT

When new account is set
Users receive the default password
How can I check that the password was changed
We don't have trusted server setup and no ageing on our machines

Re: passwd

Constantine_1 — Wed, 03 Sep 2003 18:04:37 GMT

And how will I make sure that the user not using the same default password

Re: passwd

Steven E. Protter — Wed, 03 Sep 2003 18:07:51 GMT

passwd -sa
will provide you some data.

SEP

Re: passwd

Leif Halvarsson_2 — Wed, 03 Sep 2003 18:09:09 GMT

Hi,
You can force the user to change password at next login. Check the password option in SAM/Accounts for Users and Groups.

Re: passwd

Steven E. Protter — Wed, 03 Sep 2003 18:09:21 GMT

passwd -f

Will force the user to change the default password at first login.

SEP

Re: passwd

Mark Grant — Wed, 03 Sep 2003 18:10:31 GMT

You could copy the passwd file and compare it with "diff" to the real one from time to time.

However, if you put ",M0" at the end of the encrypted password for the user in /etc/passwd, they will be forced to change there password when they first use it but it won't force them to change it again later. In other words, it doesn't implement password aging but does ensure that the original password gets changed.

Re: passwd

Umapathy S — Wed, 03 Sep 2003 18:11:03 GMT

Constantine,

In SAM, create the user account with the option "Force passwd change at next login" under Set Password options.

HTH,
Umapathy

Re: passwd

A. Clay Stephenson — Wed, 03 Sep 2003 18:18:46 GMT

This is a bit tricky given that a user could change his password back to the default value but there is a way to do this rather easily (and in fact given that a user could revert to the default password) should be done for all users periodically.

I would use Perl to extract all users from the passwd file and then call getpwnam() to get the hashed passwd word, extract the 1st 2 chars of this field and this bemomes the 'salt' value. Now
call crypt() using your default password and the $salt value and if that hash matches the hashed passwd found in /etc/passwd then the user is using the default passwd.

Very easy Perl script.

Re: passwd

GK_5 — Wed, 03 Sep 2003 18:19:32 GMT

passwd -f loginname will force to change the passwd at next login

Re: passwd

Constantine_1 — Wed, 03 Sep 2003 18:20:13 GMT

Forcing the users to change the password that's not a problem
Finding who should change that is a problem

Any Ideas how I can take default pasword and compare to what users have

Re: passwd

Jayan_2 — Wed, 03 Sep 2003 18:35:51 GMT

Dear ,

See directly to the /etc/passwd file.

regards
Jayan

Re: passwd

A. Clay Stephenson — Wed, 03 Sep 2003 18:41:56 GMT

Okay, here is a 2 minute Perl example:

#!/usr/bin/perl -w

use strict;

use constant MIN_UID => 101; # no need to check values below this
use constant DEFAULT_PW => "secret";

my ($name,$passwd,$uid);

setpwent();
while (($name,$passwd,$uid) = getpwent())
{
if ($uid >= MIN_UID)
{
my $salt = substr($passwd,0,2);
my $hash = crypt(DEFAULT_PW,$salt);
if ($hash eq $passwd)
{
printf("User %s (UID %d) is using the default passwd %s\n",
$name,$uid,DEFAULT_PW);
}
}
}
endpwent();

Just set to DEFAULT_PW constant to your value and it will work. It will even work with NIS/NIS+ or plain /etc/passwd.

Re: passwd

Leif Halvarsson_2 — Wed, 03 Sep 2003 19:01:33 GMT

Hi,
Copy the crypted default passwd from the password file, in my example it is "sNiloRtBTvMzI".

awk 'BEGIN { FS=":" } $2 == "sNiloRtBTvMzI" { print }' /etc/passwd

Re: passwd

A. Clay Stephenson — Wed, 03 Sep 2003 19:09:25 GMT

Unfortunately, Leif's approach is not very robust because the user could change the passwd back to the default value using the passwd command and because a new "salt" value would be randomly chosen the values would compare differently even though the plaintext passwds are identical. You really have to extract the "salt" from the passwd field and run it through crypt and compare that result to the original.

Re: passwd

Leif Halvarsson_2 — Wed, 03 Sep 2003 19:12:00 GMT

Hi,
Yes, I discovered that. Sorry, it was not a good solution.