topic Re: Set PASSWORD within the users .profile in Operating System - HP-UX

Set PASSWORD within the users .profile

patrick coutinho — Mon, 03 May 2004 07:58:54 GMT

Hi,

I am facing an unique situation. I have a user who uses a thin client application software namely Oracle Financial Analyser to access the Oracle Database for reporting purposes. This thin client needs an OS user to be available for this purpose. Initially what i did is to restrict all telnet access for this user and only allow ftp access. this i have achieved by assigning a "/usr/bin/false" shell to this user.

Now the problem is, what happens when the user's OS level password expires, which is set to 30 days. Since the user does not have any telnet access, he cannot change/choose another password.

Suppose i give the user telnet access and then edit his .profile file to include only the command for password changing and then exit. This is an idea i had.

Please give me any/all suggestion on how to go about achieving this. To sum it up the user needs to be able to change his OS login password every 30 days, in order to access the Oracle Financial Analyser apps. And i need to keep it secure. Don't want the user to have any shell access.

Need all the ideas, scripts etc that i can get to achieve this. Thanks to everyone in advance.

Many thanks & Regards,

Patrick

Re: Set PASSWORD within the users .profile

KapilRaj — Mon, 03 May 2004 08:06:21 GMT

Do u really wants his password to be expired ?. Why don't u change the policy ?

Kaps

Re: Set PASSWORD within the users .profile

Fred Ruffet — Mon, 03 May 2004 08:10:36 GMT

If you use his .profile to make passwd and exit, and if he can do ftp, he can replace his own .profile...

You should maybe add /usr/bin/passwd as a valid shell in /etc/shells and give him this shell. As long as he has a valid shell he can ftp, but when he makes telnet, it launches passwd then exit.

Regards,

Fred

Re: Set PASSWORD within the users .profile

Robert-Jan Goossens — Mon, 03 May 2004 08:11:43 GMT

Patrick,

I disable the user, only when they call I enable it for the periode they need.

Regards,
Robert-Jan

Re: Set PASSWORD within the users .profile

Bharat Katkar — Mon, 03 May 2004 08:22:50 GMT

Hi Patrick,
We have user similar like and we set his policy such that pasword never expires.
I don't see any harm in that. In case you want to keep on modifiying the password let the administrator spare somtime doing that once in 15 days.

Re: Set PASSWORD within the users .profile

generic_1 — Mon, 03 May 2004 21:31:40 GMT

Give the user sudo access to change the password only for that account and have them login in though a regular account through ssh of their own to do it :). That would save you some headache, but not the user.

Re: Set PASSWORD within the users .profile

Senthil Kumar .A_1 — Tue, 04 May 2004 00:13:57 GMT

hello patrick,

The best option would be to make the password's never expire. You can intervene as administrator if the passwords nedd be changed.To set a non-expiring password do as follows.

For non-expiring password the time frame for max days(-x) should be less than time frame meant for min days(-n).for exammple if the user is "tom"

Then,
#passwd -x 1 -n 2 tom

I hope this solves the issue,

regard's
senthil

Re: Set PASSWORD within the users .profile

Robert True — Tue, 04 May 2004 07:43:58 GMT

Just an added word on senthil's advice:

the value of 'x' must be 0, while 'n' can be anything greater than '0', in order to prevent the user from changing the passwd, at least on my untrusted systems.

As an aside: if root changes the passwd (ie: 'passwd ') then 'passwd -x 0 -n 1 ' must be run again afterward. The passwd cmd by itself will remove the passwd aging bits, in this (x < n) combination. Again this is on my untrusted systems.

Looking at this has solved the puzzle of disappearing 'root only passwd changes' on my systems. If I am missing a patch or something, I don't know.

Re: Set PASSWORD within the users .profile

patrick coutinho — Sat, 08 May 2004 02:56:38 GMT

Thanks everyone. My problem was resolved with Fred's advice. I have used the shell /usr/bin/passwd and now the user can only change his password on login and then exits. Thanks Fred, and thanks everyone else who have contributed with their valuable advice. Points assigned. Sorry for the delay.

One question, as Fred put it, if a user has ftp access only, he can still ftp a .profile file of his own creation to his directory and then get full privileges. That's true is it not ? Any ideas on how to address this security issue.

Thanks & Rgds

Pat