topic Re: Password Aging in Operating System - HP-UX

Password Aging

Jerry Gamblin — Fri, 06 Aug 2004 09:23:00 GMT

What is the easiest way to implement a password ageing policy on an HPUX 11 box?
I would like to set up a password policy that says users must change their passwords every X number of days.

Thanks for all your help as I move from being a Windows Admin to a Unix Admin.

Re: Password Aging

Steven E. Protter — Fri, 06 Aug 2004 09:34:16 GMT

There are a couple of ways.

One is to run some passwd commands on the user id right after its created setting its expiration and such. I'm attaching utility secript that does that. Pete Randall wrote the original, though I doubt he recognizes it.

You can use sam system security policies and set global policies for the system. root access is required for this.

There are other ways to do it as well.

SEP

Re: Password Aging

Muthukumar_5 — Fri, 06 Aug 2004 10:18:28 GMT

You can use /etc/default/security file for this.

# Standard and Shadow modes only: number
# of days that passwords are valid
# PASSWORD_MAXDAYS=175
# PASSWORD_MINDAYS=14

Or we can do it with passwd command.

Change the password expiration date of user to 42 days in the files
repository:

passwd -r files -x 42 user

See passwd man page EXAMPLES part to know more.

Re: Password Aging

Jerry Gamblin — Fri, 06 Aug 2004 10:22:15 GMT

Steve,

I was going to proceed with changing the password policy through SAM but I got an error about a turning it into a trusted database (see attached). Is it a bad idea to do this? Could this break something else on the machine or is this a suggested HP procedure.

Re: Password Aging

john kingsley — Fri, 06 Aug 2004 10:31:53 GMT

This information can be set using the passwd command. Chech the man page for details.
----------------
If you are not using a shadow file, this information is addeded to the end of the password field:

user1:PPPPPPPPPPPPP,AMWW:uid:gid:user_name
Where:
A (1 character) - # of weeks for which a password is valid
M (1 character) - # min number of week which must pass before a user can change their password.
WW (2 character) - # of weeks since password was changed. Weeks are counted from the beginning of 1970.

There are 64 valid characters that are used in the password field. Each character is used to represent a digit. The valid characters are: â .â for 0, / for 1, A through Z, for 12 through 37, and a through z for 38 through 63.

So, for example:
user1:PPPPPPPPPPPPP,O/7Q:uid:gid:user_name
Password is valid 26 weeks.
Password can't be changed for 1 week.
Password was last changed 7/8/04

----------------
If you are using a shadow file, setting up password aging is much simpler:
user1:PPPPPPPPPPPPP,ddddd,m,xxx,ww:::

dddddd - # of days since password was changed. Weeks are counted from the beginning of 1970.

m - # min number of days which must pass before a user can change their password.

xxxx - # of days for which a password is valid
ww - # of days a user will receive warning messages prior to the password expiring.
---------------------

The command:

password -s -a

will show you the aging information set for your users:

user1 PS 07/08/04 7 1

Re: Password Aging

Muthukumar_5 — Fri, 06 Aug 2004 10:35:45 GMT

Hai,

You are trying to change your system as Truseted one. I hope you have a knowledge on that.

It will make passwd file with * as passwd in every passwd. It will make your system as very secure.

If you put yes it will change your system to truseted one.

See more about the difference between them
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=638058

If you want to use your system as normal one with this requirement then use passwd command settings / /etc/default/security file settings

Muthu.