topic Re: Password administration for non-root users in Operating System - HP-UX

Password administration for non-root users

Jody L. Czub — Mon, 17 Oct 2005 11:12:02 GMT

Hi,

I am trying to find out what other companies do to manage a large number of users for password administration.

We run a 24x7 warehouse operation and have several hundred users. Recently we have gone to hardened passwords and we have a concern over password management for our 3rd shift. We have a helpdesk that can handle the first two shifts, but there are a large number of supervisors/lead people that we feel uncomfortable giving restricted SAM to.

Does anyone know of any utilities (they can be 3rd party) or other solutions to get around this? Restricted SAM works fine but unless I am missing something you can't lock down on just password changes. A restricted SAM user has a full user menu. I know you can do some filtering, but if a user forgets a password without locking the account someone still needs the ability to reset.

Tech support doesn't want to get called for a forgotten password in the middle of the night.

Thanks for any suggestions.

Re: Password administration for non-root users

Mel Burslan — Mon, 17 Oct 2005 11:17:29 GMT

We started to use the CA's eTrust suite for user administration in all aspects including the password management by non-root users (our internal help desk is capable of doing this now) but overall I am not impressed by the software. Its daemon runs under root user instead of running under a regular user using the applications with sticky bits set as many others do. It's installation scripts must have been written by a 12 years old script kiddie, or it feels that way as they broke from one system to the other under identical configurations. Almost no error checking whatsoever while installing. Depends on lots of assumptions.

My advice : stay away from it. Actually stay away from any CA product on HPUX.

Re: Password administration for non-root users

Ken Grabowski — Mon, 17 Oct 2005 12:10:43 GMT

We have a similar situation. Using enhanced security, with non-UNIX administrators doing user administration.

To achieve that required a few scripts to be written that added removed and unlocked user accounts. The scripts call sudo to call the UNIX commands. The non-administrators never actually have an administrator shell that they work in. They are always normal users.

Each time they actually modify a user account, the script sends an Email to the Sr. UNIX Administrator and the Security Officer. SOX is covered!

To do this, you need to install sudo, if you havenâ t already done so. If youâ re running 11.23 you can use the new HP-UX â AccessControlâ tool. You will need to invest some programming time to create the script(s). We have a menu drive script that gathers what information will be required to add, delete, or unlock the user account. The only data we actually get from the user is the UNIX I.D., everything else we create from within the script. You could just make simple command line scripts that take one or two parameters, like user name, and if you use more than one, user group.

To add accounts the script calls:
/usr/local/bin/sudo /usr/sbin/useradd -g $userGroup -d /home/$userAcctName -s /bin/ksh \
-G $userOthGroups -c "$userFirstName $userLastName" -m \
-k /opt/soc/stdprofiles/$userType $userAcctName

To delete accounts the script calls:
/usr/local/bin/sudo /usr/sbin/userdel -r $myUserAcctName

To reset a password the script calls:
/usr/local/bin/sudo /usr/lbin/modprpw -x $myUserAcctName
/usr/local/bin/sudo /usr/lbin/modprpw -l -k -m rstrpw=YES,exptm=45,nullpw=NO $myUserAcctName

To lock an account the script calls:
/usr/local/bin/sudo passwd -l $myUserAcctName

And to re-enable a locked account the script calls:
/usr/local/bin/sudo /usr/lbin/modprpw -l -k $myUserAcctName

Sorry, canâ t send you the actual scripts, but this should be enough to get you going.

Best of luck!

Re: Password administration for non-root users

Jody L. Czub — Mon, 17 Oct 2005 12:50:57 GMT

Mel, thanks for the advice. Our G/L system is CA and I can relate because we still have a 2Gb file limit.

Ken, thank you so much. This sounds like something we can use. We are in the process of upgrading this system to a new server which is running 11.23 so I think I will just invest the time and get it running on the new server. Your examples will be most helpful. Thanks again.