topic Re: password aging in Operating System - HP-UX

password aging

Angela Swyers_1 — Tue, 29 Jun 2004 11:38:36 GMT

How do I turn on password aging for all my existing users without having to go into each one individually and change it?

Re: password aging

Mel Burslan — Tue, 29 Jun 2004 11:51:57 GMT

There exists a utility called pwage and for the life of me I can not remember where it was right now. This utility modifies your encrypted password entry in the passwd file to change the password aging of any given user. By the word changing, I mean turns it on or off as well as determines the length of the expiration in the granulatrity of weeks.

If you can get your hands on this utility, the task you are looking into is a plain vanilla script, something like (on an untrusted system):

cat /etc/passwd | while read line
do
username=`echo line | cut -d: -f1`
pwage [necessary swithches] $username
done

I hope someone here can direct you where to find this neat utility. I used to use it daily in one of my old workplaces and did not make a copy of it on a tape (dang).

Re: password aging

A. Clay Stephenson — Tue, 29 Jun 2004 11:52:45 GMT

Well, you really have to do this for each user but the answer is to write a simple script: Here is a quick example assuming that you only want to age passwds with UIDS >= 101

awk -F":" '{if (($3 + 0) >= 101) print $1}' < /etc/passwd | while read USR
do
echo "User: ${USR}"
passwd -x 90 -n 7 ${USR}
done

That will set the users' passwords to expire in 90 days (rounded to the nearest week) and require 7 days to pass before a passwd can be changed. You could also add a -f to force all passwd to be expired so that the users would need to change passwords upon the next login.

Re: password aging

Steven E. Protter — Tue, 29 Jun 2004 11:56:05 GMT

You can do it with sam

sam

accounts and users

accounts

pick the account

modify user

There is a dialog to turn off aging

This is automated as follows:
passwd -x max 0
passwd -x min 0

This turns off aging.

SEP

Re: password aging

Sundar_7 — Tue, 29 Jun 2004 13:06:41 GMT

you will have to mention if it is a trusted system or not ?

passwd with -x option will do for a system that is not trusted

if your system is trusted then it is much easier.

/usr/lbin/modprdef -m exptm=90,expwarn=10,mintm=10

exptm - Password expiry time in days
expwarn - Password expiry warning
mintm - Minimum time between password changes

but remember, in trusted system if you enable password aging and if the user has not changed their password in the last "exptm" days then their password will be expired. Worst if you have password lifetime set for the accounts, your user account will be disabled if they havent changed their password in "lftm" days.

if you want the password aging to start counting the days from today then

# /usr/lbin/modprpw -V

The above command will reset the last successful password change time to the current time.

Re: password aging

Stan PIetkiewicz_1 — Tue, 29 Jun 2004 13:15:55 GMT

I used ...

SAM

Auditing and Security

System Security Policies

Password Aging Policies and others there for terminal settings etc.

Re: password aging

Nick D'Angelo — Thu, 21 Apr 2005 13:04:50 GMT

Some points for the answers would be appreciated.