topic SAM, TCB & Changing a users Password in Operating System - HP-UX

SAM, TCB & Changing a users Password

Ivan A. Marshall — Tue, 10 Apr 2001 18:54:45 GMT

Right ... I am needing some help guys ....

I have a little problem when using SAM to add a new user ...

1. I add the user
2. I get a password for the user from SAM/TCB.
3. I have to then find the user, and Modify the password to a standard new password (something like newpassword)
4. And then manually tell SAM to set the expiration to now (so the user will have to change the password).

Now I managed to script a part of SAM to expire the password staright after I created the account (using the POST conditions), but I can not find a way to automate the change of password.

I have to go find the user (I have over a 1000), and then manually change. Or I have to go out into shell and run passwd.

I tried running passwd in the POST condition script, but that just hangs SAM.

I know it doesn't seem like much, but when you have to create 200 users it gets very tiring.

Is there any way that I can use a command (without interaction) to create a new password??

Or, Is there a setting that will tell SAM to let me pick the password at creation (not the Security Setting "Let User decide" , because that still gives me the SAM generated password) ...??

HELP ... HELP

Re: SAM, TCB & Changing a users Password

Jim Moffitt_1 — Tue, 10 Apr 2001 19:14:18 GMT

Ivan, when you're creating the user there is an option called Modify password options. This option allows you to a) leave the password with no restrictions(this is the default), b) force password change at next login, c) allow only super user to change password or d) enable password aging.
on the command line you can also force password change at next login by typing:
passwd -f username

Hope this helps.

Jim Moffitt

Re: SAM, TCB & Changing a users Password

Ivan A. Marshall — Tue, 10 Apr 2001 19:20:29 GMT

Nope ...

You are talking about normal systems ...

Not TCB ...

Anyone else ....??

Re: SAM, TCB & Changing a users Password

Bob Hochstetler — Wed, 11 Apr 2001 12:41:07 GMT

The modprpw command (/usr/lbin/modprpw) may be of some use on a trusted system. I believe it is still unsupported but I found a manpage through searching the IT resource center. It allows a "-w" option to supply an encrypted password for a user. I have not used this feature however.

Re: SAM, TCB & Changing a users Password

Ivan A. Marshall — Wed, 11 Apr 2001 12:55:56 GMT

OK .. I know of modprpw ....

But I can not find reference to a -w on the HP web site ....

So I can supply a password in normal text ...

e.g. modprpw -w testpassword

????

Re: SAM, TCB & Changing a users Password

Jim Moffitt_1 — Thu, 12 Apr 2001 18:44:01 GMT

I just found a man page for you from this question today. Hope it's helpful.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xe505a22d6d27d5118fef0090279cd0f9,00.html

Re: SAM, TCB & Changing a users Password

Christopher Caldwell — Thu, 12 Apr 2001 19:29:05 GMT

Unfortunately, supported HP-UX mechanisms make the task of adding a user w/o operator intervention (i.e. totally by script) are virtually non-existant.

To accomplish your task, you'll want to sharpen up your C pencil.

Depending on the options you chose for Trusted HP-UX, we've done something like

/usr/sam/lbin/useradd.sam -g -d /home/ -c "" -s/usr/bin/ -p "" -o -u

where password is an already crypted password returned by C's crypt() function. In our setup, we also had to "activate" the account by making the password's last changed date current, so that the user isn't prompted to change their password during login. Here's a snippet of code that did the trick:

localpr_passwdent=*mypr_passwdent;
localpr_passwdent.ufld.fd_schange=time(NULL);
localpr_passwdent.uflg.fg_schange=1;
if (putprpwnam(localpr_passwdent.ufld.fd_name, &localpr_passwdent)==0) {
printf("activate: password modify failed\n");
}

Note, if you extract existing passwords from the TCB of one host to bulk build accounts on another host, you don't need the crypt function. The passwords are already crypted.

We used a C program to extract the old account information into a tab delimited file. Then we used a script in conjunction with the "activate" code to set up the accounts on the new system.