topic Re: password aging policies in HP-UX in Operating System - HP-UX

password aging policies in HP-UX

senthil_kumar_1 — Tue, 31 Mar 2009 08:28:41 GMT

Hi

I want to view the password aging policies of the user such as minimum days, maximum days, warning days, date of last password change and password expire date.

Re: password aging policies in HP-UX

Ganesan R — Tue, 31 Mar 2009 08:38:45 GMT

Hi Senthilkumar,

Use this command.

#/usr/lbin/getprpw

Re: password aging policies in HP-UX

Steven E. Protter — Tue, 31 Mar 2009 08:39:12 GMT

Shalom,

See /etc/default/security

There is a man page and current settings can be viewed.

http://www.docs.hp.com/en/B2355-60103/security.4.html

http://docs.hp.com/en/B2355-60127/security.4.html

SEP

Re: password aging policies in HP-UX

Ganesan R — Tue, 31 Mar 2009 08:43:20 GMT

# /usr/lbin/getprpw test
uid=101, bootpw=NO, audid=13, audflg=1, mintm=2, maxpwln=-1, exptm=30, lftm=40,
spwchg=Thu Nov 21 18:07:34 2002, upwchg=-1, acctexp=-1, llog=-1, expwarn=2, usrp
ick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DF
T, timeod=-1, slogint=Thu Nov 21 16:08:10 2002, ulogint=Thu Nov 21 16:07:13 2002
, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000100

Password Format Policies:

maxpwln ==> Maximum Password Length
nullpw ==> Allow Null Passwords
rstrpw ==> Use Restriction Rules
usrpick ==> User Specifies
syschpw ==> System Generates Character
sysltpw ==> System Generates Letters only
syspnpw ==> System Generates Pronounceable

Password Aging Policies

exptm ==> Password Expiration Time (days)
expwarn ==> Password Expiration Warning Time (days)
lftm ==> Password Life Time (days)
mintm ==> Time Between Password Changes (days)

NOTE: If password aging is disabled, all above parameters are set
to 0.

General User Account Policies

bootpw ==> Require Login Upon Boot To Single-User State
llog ==> Maximum Inactive Time (days)
umaxlntr ==> Unsuccessful login Tries Allowed

NOTE: If Lock Inactive Accounts is disabled, llog is set to 0.

Terminal Security Policies

dlylntr ==> Delay Between Login Tries (sec)
lntmout ==> Login Timeout Value (sec)

Re: password aging policies in HP-UX

Sajjad Sahir — Tue, 31 Mar 2009 08:49:09 GMT

Dear Senthil

configuration file is /etc/defualt/security
u can do passwd length passwd aging also a number of thing in this file see the above posting also

thanks and regards

Sajjad Sahir

Re: password aging policies in HP-UX

senthil_kumar_1 — Tue, 31 Mar 2009 08:50:13 GMT

I get following output when i tried to execute this command.

root@lgapps:/root > /usr/lbin/getprpw test
System is not trusted.

Pls help me.

Re: password aging policies in HP-UX

Sajjad Sahir — Tue, 31 Mar 2009 08:52:51 GMT

Dear Senthil

this is available in trusted system
modprpw, getprpw etc..

u system is not trusted.

u can do passwd aging a lot of things in /etc/default/security file see more parameters from there

thanks and regards

Sajjad Sahir

Re: password aging policies in HP-UX

senthil_kumar_1 — Tue, 31 Mar 2009 08:54:48 GMT

There is no file "/etc/default/security" in my system.

Re: password aging policies in HP-UX

Ganesan R — Tue, 31 Mar 2009 09:02:48 GMT

Hi Senthilkumar,

If your system is not converted as trusted, then you cannot use modprpw,getprpw commands.

But still you can set password policies on /etc/default/security file.

see man security

Many things you can do with security.

If you want to know existing password status use the below command

#passwd -sa -> for all users
#passwd -s -> for individual user

Re: password aging policies in HP-UX

Johnson Punniyalingam — Tue, 31 Mar 2009 09:33:44 GMT

Hi Senthil Kumar,

On non-trusted systems, general password policy is set by the week, not the day. That is why you had to run a special command, shown above to expire a user the next day.

The passwd -s output is still meaningful. After 7 days if not used, both accounts will be locked.

You have considerable flexibility in setting policy on a non-trusted sysetm.

/etc/default/security configuration will let you set general policy to meet your organizations guidelines.

Thanks,
Johnson

Re: password aging policies in HP-UX

T G Manikandan — Tue, 31 Mar 2009 09:40:25 GMT

Unless your server is converted to trusted which means you have the /tcb directory , the /etc/default/security file and all its parameters work.

Without converting to a trusted system , the password aging policies dont work, except the changes which you can do with /etc/passwd file for the non-trusted systems.

Re: password aging policies in HP-UX

Md. Farhan A Azam — Tue, 31 Mar 2009 09:40:59 GMT

Hi Senthil,

Fisrt check that your system is in trusted mode or not.

If not then -
#sam> Press "Return" to continue> Auditing and Security> System Security Policies> (Do you want to convert to a Trusted System now?)Press on Yes> ok> Select [Password Aging Policies]> Enable the Password Aging:> then change the value as per your requirement.

Thnx...Farhan

Re: password aging policies in HP-UX

Md. Farhan A Azam — Tue, 31 Mar 2009 09:45:31 GMT

Hi,

#sam> Press "Return" to continue> Auditing and Security> System Security Policies> Select [Password Aging Policies], from here you can check password aging plocies.

Thnx...Farhan

Re: password aging policies in HP-UX

Bill Hassell — Tue, 31 Mar 2009 10:18:41 GMT

> ... password aging policies of the user such as minimum days, maximum days, warning days, date of last password change and password expire date.

Other than the expiration time and the minimum time before another password change can be made, there are no other password controls available on your system. The /etc/default/security file must be created by you but read the man page for security. There just a couple of options that will work -- all the others will be ignored until you convert to a Trusted System. Depending on your version of HP-UX, you may also choose Shadow Password protection or Security Enhancement/Containment.

Re: password aging policies in HP-UX

senthil_kumar_1 — Thu, 25 Jun 2009 16:09:28 GMT

Hi All,

Just now i converted my hpux in to trusted mode using SAM.

Now i am able to find the folder "/tcb/files/auth"

My problem is just now i have created one user, i am not able to change the password for that user.

Ex:

# useradd sentest

# passwd sentest

Password cannot be changed. Reason: Cannot access protected password entry.

I am getting the above error.

And i am not able to run the command "getprpw".

Ex:

root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found.

root@lgsna:/tcb/files/auth/r > usr/lbin/getprpw sentest
sh: usr/lbin/getprpw: not found.

My questions:

1) How to set / reset the password when server is at trusted mode.

2) How to get the command "getprpw".

Re: password aging policies in HP-UX

OldSchool — Thu, 25 Jun 2009 17:13:07 GMT

Ganesan R noted
"# /usr/lbin/getprpw test"

-and you did-

"root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found."

do *you* see the difference? do you know at least 2 ways to correct the issue?

hint: what's your path?

Re: password aging policies in HP-UX

OldSchool — Thu, 25 Jun 2009 17:20:45 GMT

and if all you need are the min days / max days / number of days warning, that should work on an "untrusted" system....at least it did on 11.0 w/ patches applied

Re: password aging policies in HP-UX

senthil_kumar_1 — Mon, 29 Jun 2009 11:48:47 GMT

Hi All,

i have converted my system into trusted.

I would like to practice all the features of trusted system like "getprpw", "modprpw",
"configuring /etc/defaults/security", "password aging policies" and "auditing".

So i need best guide (pdf / html) to practice above things.

Re: password aging policies in HP-UX

James R. Ferguson — Mon, 29 Jun 2009 11:54:55 GMT

Hi Senthil:

I trust (no pun intended) that you realize that Trusted Sysem security is deprecated with 11.31 and that the 11.31 release is the last that will support it.

In my opinion, you would be in a better postion to convert to a shadow implementation and begin to explore the evolving features built upon that.

http://docs.hp.com/en/5992-3387/index.html

Regards!

...JRF...

Re: password aging policies in HP-UX

Steven E. Protter — Mon, 29 Jun 2009 13:02:03 GMT

Shalom again,

/usr/lbin/getprpw test

This and the associated comands will work on a trusted system.

passwd -sa will provide you a good report and flag users that have not logged in and changed their passwords recently.

Trusted system is as JRF notes orphan technology, and you may wish to study alternatives so that your future HP-UX 11 v 4 systems will work with older systems.

Shadow password is available from http://software.hp.com and may be built into 11.31. Shadow password is based on Linux which will make it easier not to remember two different rule sets when dealing with multi platform systems.

SEP