topic Re: days between password changes problem in Operating System - HP-UX

days between password changes problem

Gord Moore — Tue, 14 Sep 2004 12:30:20 GMT

Am I doing something wrong or is this a feature?

I recently changed the system-wide default for "Time between password changes (Days)" via SAM --> Auditing and Security --> System Security Policies --> Password Aging Policies, and set the number of days to 7, which should mean that a user cannot change passwords until 7 days have elapsed (to prevent quick changes to re-use the password). That sounds good and seems to work.

It seems to work too well. An account was deactivated due to password lifetime expiry. So in SAM I reactivated the account and the system generated a password. The user was able to log in using that password, but could not change it.

Password cannot be changed. Reason: minimum time between password changes.

I thought that if root changed the password, it should either request a new one immediately, or allow the user to change their own. How do I get password resets/account reactivations to ignore the "days between" rule?

This is on an HP-UX 11i system with Trusted passwords.

Thanks.

Re: days between password changes problem

RAC_1 — Tue, 14 Sep 2004 12:38:35 GMT

/usr/lbin/getprpw -m mintm user_name
/usr/lbin/getprpw -m spwchg user_name

The spwchg should be the date when you reactivated the account ans set the password for user. If not this is the problem. I think this is what trusted system gives.

Anil

Re: days between password changes problem

Sundar_7 — Tue, 14 Sep 2004 12:44:30 GMT

Gord,

Check the exptm and mintm settings for the user.

If the value for exptm is LESS than mintm then the user CANNOT change the password

# /usr/lbin/modprpw -m exptm=0,mintm=1

# su -

passwd
Password cannot be changed. Reason: minimum time between password changes.

user /usr/lbin/getprpm -m exptm,mintm to get the settings.

If needed set using /usr/lbin/modprpw command.

--Sundar.

Re: days between password changes problem

Sridhar Bhaskarla — Tue, 14 Sep 2004 19:52:52 GMT

Hi,

You are right. Even if root changes the password, the restriction will still be applied.

I do the following in such cases.

1. Ask if the user knows the password on the system. If so, simply run 'modprpw -k ' and the user should be able to login.

2. If the user doesn't know the password, there are two options
a. Ask for a HP system where user knows the password. Simply grab the encrypted string from /tcb/files/auth// file from that system and replace the existing encrypted string with it on the local system. Run "modprpw -k '.
b. If the user doesn't have a working account on any other HP system, then generate an encrypted password for yourself using /usr/lib/makekey program. It takes exactly 10 chars with first 8 being the password. The last two chars are to be random and are called salt. For ex., to set a password of "Bla123!" do

echo "Okay123!xy" |/usr/lib/makekey

Copy the encrypted string thus generated and put it in the users' tcb file and run 'modprpw -k '.

Note that editing the user tcb files is not a clean method. Ensure that no other SA is on the system doing account related stuff while you are editing the tcb files.

-Sri

Re: days between password changes problem

Gord Moore — Wed, 15 Sep 2004 10:18:03 GMT

Thanks Anil and Sundar.

I am going to copy Sri's answer into my tip book because it really answers the question that I cannot ignore the "days between" rule. It seems a kludge to have to edit the tcb files manually. Oh well.

Thanks all.