topic Re: Password Life scripting -- modprpw in Operating System - HP-UX

Password Life scripting -- modprpw

rmueller58 — Wed, 03 Dec 2008 14:51:37 GMT

We are discussing the possibility of defining a password life of 90 days, currently the value is null. We have several school districts, our largest wants it the others do not.

I am wanting to work out the command for doing the district in question, I can get the users based on the HOMEDIR because we have segregated districts in this way,

/home/$DIST/$user

1st, question what is the MODPRPW command to define password life?

Is it possible to read from a file containing those users in the districts in question?

such as

for uuname in `cat districtuser.txt`
do
/usr/lbin/modprpw -m mintm= $uuname
done

What is the commandline option for defining the mintm? I noticed in the man pages it is 86400? is that hours or minutes?

Anyone else have a method I'd appreciate the help..

Re: Password Life scripting -- modprpw

James R. Ferguson — Wed, 03 Dec 2008 15:04:31 GMT

Hi:

The 'modprpw' command applies to trusted systems.

> What is the commandline option for defining the mintm? I noticed in the man pages it is 86400? is that hours or minutes?

According to the manpages, the values are in days, althogh the database retains them in seconds. The value 86400 = (60*60*24) or the number of seconds in one day.

To read input, you could do:

while read UUNAME X
do
/usr/lbin/modprpw -m mintm=90 ${UUNAME}
done < districtuser.txt

...This assumes that each line of the input file contains a whitespace delimited account name as the first (perhaps only) field.

Regards!

...JRF...

Re: Password Life scripting -- modprpw

Ganesan R — Wed, 03 Dec 2008 15:24:07 GMT

Hi,

Few updates along with James reply. You can use getprpw command to know the existing values for the user. There are two kind of policies.

1.System level security policies. Applicable to all users.

2.User level security policies. Applicable to specific user.

# /usr/lbin/getprpw test
uid=101, bootpw=NO, audid=13, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1,
.......

If the values for exptm, lftm, mintm, and expwarn are equal to -1, this means that the user is using the system security policy options defined in SAM. Looking at this example:

# /usr/lbin/getprpw test2
uid=102, bootpw=NO, audid=14, audflg=1, mintm=2, maxpwln=-1, exptm=30, lftm=50,
spwchg=Thu Nov 21 18:07:34 2002, upwchg=-1, acctexp=-1, llog=-1, expwarn=2, usrp
.......

User test2 is not using the system security options (values are not equal to -1) exptm=30, lftm=50, mintm=2, expwarn=2

Changing the system security options in SAM will not have an impact on this user (test2). But you can change user security options with SAM or from the command line.

These are the policies related to password aging.

Password Aging Policies
exptm ==> Password Expiration Time (days)
expwarn ==> Password Expiration Warning Time (days)
lftm ==> Password Life Time (days)
mintm ==> Time Between Password Changes (days)

So whatever mention with modprpw will be in days.

Note that you need to set "exptm" for password expiration not "mintm" . "mintm" means ,after "mintm" days the user can change the password again to either a new
password or back to the old password (Time Between Password Changes)

Hope this helps.

Re: Password Life scripting -- modprpw

rmueller58 — Wed, 03 Dec 2008 16:20:44 GMT

James,

Yes, I will have a user list with the userid on each line.

I would prefer to define it system wide, but we've got too many hands in the cookie jar. Since we are only a service provider for the district we've got to adjust on a district by district basis..

That helps a lot. I will also be define each account to expire, at same time.

So if I do the script it should look like this correct? (ADDING the "-e")

To read input, you could do:

while read UUNAME X
do
/usr/lbin/modprpw -e -m mintm=90 ${UUNAME}
done < districtuser.txt

Re: Password Life scripting -- modprpw

James R. Ferguson — Wed, 03 Dec 2008 16:24:01 GMT

Hi (again):

Regarding your last question of adding '-e' to the command to look like:

/usr/lbin/modprpw -e -m mintm=90 ${UUNAME}

...yes, according to the manpages that is legal.

Regards!

...JRF...

Re: Password Life scripting -- modprpw

rmueller58 — Thu, 14 May 2009 14:47:01 GMT

Not sure why I didn't close this at the time.. Sorry.