topic Disabling password aging - HPUX 11.31 in Operating System - HP-UX

Disabling password aging - HPUX 11.31

PatRoy — Tue, 13 Jan 2009 16:52:19 GMT

Hi.

Running HPUX 11.31... in UNtrusted mode.

I'm trying to disable password aging for one particular user. If I try setting PASSWORD_MAXDAYS in SMH to -1, like it says to disable it (i.e. -1...441 Maximum number of days that a password is valid (-1=Disable aging), I keep getting the following error:

The user value for PASSWORD_MAXDAYS is out of range.

If I try with userdbset:

userdbset -u username PASSWORD_MAXDAYS=-1

I get: Unknown attribute : PASSWORD_MAXDAYS

Why?? What gives?? I've got SMH A.2.2.9.1 installed.

Regards, Pat

Re: Disabling password aging - HPUX 11.31

Avinash20 — Tue, 13 Jan 2009 17:13:33 GMT

Are you using shadow password file since there was an issue where /etc/default/security
overrides /etc/shadow

Re: Disabling password aging - HPUX 11.31

PatRoy — Tue, 13 Jan 2009 18:13:05 GMT

Nope. Ain't using shadow. Passwords are encrypted within /etc/passwd.

SHould I be using shadow?

Re: Disabling password aging - HPUX 11.31

Avinash20 — Tue, 13 Jan 2009 18:37:21 GMT

No, its not required.
Might be there is some other issue
You need to wait for our experts to revert to your issue,

Re: Disabling password aging - HPUX 11.31

Dennis Handly — Wed, 14 Jan 2009 04:41:44 GMT

>Why?? What gives??

You could always use vipw(1m) to remove the aging subfield out of the password field. From the comma to the end.

Re: Disabling password aging - HPUX 11.31

PatRoy — Fri, 16 Jan 2009 21:04:24 GMT

Here's a note I've got from HP after submitting a case for it...

>>> HPSupport_AM 14/01/2009 3:38 pm >>>

FR: alonso_baldioceda

Patrick,

There is an Enhancement request filed with the reference number QXCR1000821184 to resolve this issue.

As per the manual pages of passwd(1) and security(4), setting PASSWORD_MAXDAYS=-1 will disable the password aging. But values specied in system-wide configuration file /etc/default/security do not take effect. So it is no possible disable password aging per user overriding the system default to use password aging.

Unfortunately there is no a fix currently and there is no a release date for the patch.

Thanks,
Alonso

======================

My original note:

Running HPUX 11.31 on an Untrusted system and trying to disable password aging for 1 user from the SMH web interface. Not yet running with shadow passwords.

Just like it says for PASSWORD_MAXDAYS: -1...441 Maximum number of days that a password is valid (-1=Disable aging)

I did exactly that. Put in -1. It keeps telling me -1 out of range???

Now if I go into the tui version of SMH, I read the following warning:

The per user value for the security attributes PASSWORD_MINDAYS, PASSWORD_MAXDAYS and PASSWORD_WARNDAYS cannot be removed individually.

How are we supposed to disable password aging for 1 user only? PASSWORD_MAXDAYS is set to 60 in /etc/default/security.

Re: Disabling password aging - HPUX 11.31

OldSchool — Fri, 16 Jan 2009 23:47:35 GMT

OK....the PASSWORD_MAXDAYS and whatnot are in the default security files. They are applied when the user is first created and then not referenced. Disabling them w/ -1 will only apply to users created after the change.

I have no clue what userdbset does, so I can't comment on why you see the results you do.

For a specific user, you can:

a) remove the aging information for an individual user using "vipw" as Dennis noted. in the following example:

testusr:asdcasd,asd:.......

you would want that to read:

testusr:asdcasd:.......

or:

b)as "root", you can try:

passwd testusr -n 0 -x 0

NOTE:
I prefer the "vipw" method, as I *know* that will work

Re: Disabling password aging - HPUX 11.31

Javed Khan_1 — Sat, 17 Jan 2009 12:51:31 GMT

Hi,

remove password aging field from password i.e after comma

if you are not familiar with editing /etc/passwd

use SAM to disable password aging

SAM-Accounts for Users and Groups-Local users-select account-Modify password option -set password option to No Restrictions (Normal Behavior)

Javed