topic Re: to set root password expiry as NULL in Operating System - HP-UX

to set root password expiry as NULL

masood bt — Wed, 18 Mar 2009 13:17:26 GMT

serverxx:/ # passwd -s
root PS 02/17/09 0
serverxx:/ #

The test requirement says the root password attributes should be set to NULL

I did
serverxx:/ # passwd -n 0 -x 0 -w 0 root
argument rounded up to nearest week
argument rounded up to nearest week
argument rounded up to nearest week
serverxx:/ #

Now it is

serverxx/ # passwd -s root
root PS 02/17/09 0 0
serverxx/#

I do not want to see any zeroes..any value at all..i.e., the attributes should be set to NULL...can somebody explain me how to acheive this? Thank you.

Re: to set root password expiry as NULL

Steven E. Protter — Wed, 18 Mar 2009 13:28:22 GMT

Shalom,

There is a utility called vipw

It edits /etc/passwd

You can empty out the password field.

You can use sam to change the aging of the root password to not expire.

SEP

Re: to set root password expiry as NULL

masood bt — Wed, 18 Mar 2009 13:56:29 GMT

Hi Steven
I am Masood :-)

Here is the output with only first two lines:
serverxx:/#vipw
root:*:0:3::/:/sbin/sh
daemon:*:1:5::/:/sbin/sh

The password field has a *

In Sam->accts for users n groups->users->root/actions/security policies->passwd ageing policies is disabled already

Re: to set root password expiry as NULL

masood bt — Wed, 18 Mar 2009 14:02:21 GMT

Steven
I cannot anything like password expiry in sam
I do not fully understand the significance of removing the * in the /etc/passwd

I want no zeroes here
serverxx:/ # passwd -sa
root PS 02/17/09 0 0

Also..
I had been to this page
#man modprpw
:my own extracts for you..I am not sure though:
modprpw(1M) modprpw(1M)

-e This option is specified with a user name to expire the specified
user's password. It zeroes the successful change time.

May be combined with options -l, -m, -n.

Boolean values are specified as YES, NO, or DFT for system
default values (/tcb/files/auth/system/default). Numeric values
are specified as positive numbers, 0, or -1. If the value -1 is
specified, the numeric value in the database is removed, allowing
the system default value to be used. Time values are specified
in days, although the database keeps them in seconds.

No aging is present if the following 4 database parameters are
all zero: u_minchg, u_exp, u_life, u_pw_expire_warning.

Re: to set root password expiry as NULL

Paul McCleary — Wed, 18 Mar 2009 15:58:08 GMT

Hi Masood,

Looking at passwd man page I'm not sure what you're doing is valid:

-s name Display some password attributes associated with the
specified name. Superuser privilege and non-trusted
mode is required if the files repository is specified.

I assume you have a trusted configuration as you have an asterick in the user password field and you are looking at trusted system commands (modprpw).

HTH, Paul

Re: to set root password expiry as NULL

Paul McCleary — Wed, 18 Mar 2009 16:16:56 GMT

What you mention above is:

modprpw -m mintm=0,lftm=0,exptm=0,expwarn=0 root

Maybe you should then use getprpw to check this, as opposed to passwd -s.

Info on DB fields:

mintm=value database u_minchg=(value*86400).

Set the minimum time interval between
password changes (days). 0 = none. Same as
non-trusted mode minimum time.

lftm=value database u_life.

Set password life time interval (days). 0 =
infinite.

exptm=value database u_exp=(value*86400).

Set password expiration time interval (days).
0 = expired. Same as non-trusted mode
maximum time.

expwarn=value database u_pw_expire_warning=(value*86400).

Set password expiration warning time interval
(days). 0 = none.

HTH, Paul

Re: to set root password expiry as NULL

masood bt — Wed, 18 Mar 2009 23:43:56 GMT

Here it is:
serverxx:/ # /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=-1, spwchg=Tue Feb 17 17:02:10 2009, upwchg=Tue Mar 17 16:59:08 2009, acctexp=-1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Mar 19 00:42:15 2009, ulogint=Wed Mar 18 12:40:02 2009, sloginy=console, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000
serverxx:/ #

What does this say??

Re: to set root password expiry as NULL

Dennis Handly — Thu, 19 Mar 2009 04:49:08 GMT

>What does this say?

A question to you would be what fields do you not understand?

getprpw(1m) lists all of the fields under -m.
It also says you can look at prpwd(4) for more details:
http://docs.hp.com/en/B2355-60130/getprpw.1M.html
http://docs.hp.com/en/B2355-60130/prpwd.4.html

Re: to set root password expiry as NULL

Suraj K Sankari — Thu, 19 Mar 2009 05:01:34 GMT

Hi,

Here is the meaning of this values.

uid user uid
bootpw boot authorization flag
audid audit id
audflg audit flag
mintm minimum time between password changes
maxpwln maximum password length
exptm password expiration time
lftm password lifetime
spwchg last successful password change time
upwchg last unsuccessful password change time
acctexp account expiration time
llog last login time interval
expwarn password expiration warning time
usrpick whether user picks password, YES/NO/DFT
syspnpw whether system generates pronounceable passwords, YES/NO/DFT
rstrpw whether password is restricted, i.e, checked for triviality, YES/NO/DFT
nullpw NULL passwords are allowed, YES/NO/DFT. Not recommended!
syschpw whether system generates passwords having characters only, YES/NO/DFT
sysltpw whether system generates passwords having letters only, YES/NO/DFT
timeod time of day allowed for login
slogint time of last successful login
ulogint time of last unsuccessful login
sloginy tty of last successful login
culogin consecutive number of unsuccessful logins so far
uloginy tty of last unsuccessful login
umaxlntr maximum unsuccessful login tries
alock administrator lock, YES if on, NO if off, DFT if not set.
lockout returns the reason for a lockout in a "bit" valued string,
where 0 = condition not present,
1 is present. The position,

for more info do man getprpw

Suraj

Re: to set root password expiry as NULL

masood bt — Thu, 19 Mar 2009 14:50:29 GMT

Attached getprpw output for root
Now seeing those lines..can I say the attributes set for user root are set to NULL?

Re: to set root password expiry as NULL

Dennis Handly — Fri, 20 Mar 2009 03:29:19 GMT

You have 0 for: mintm exptm expwarn
But -1 for: lftm acctexp
-1 means never set but modprpw(1M) says these should be 0.

>the attributes should be set to NULL

What do you expect to achieve with NULL (probably -1) vs 0?

Re: to set root password expiry as NULL

masood bt — Fri, 20 Mar 2009 03:34:05 GMT

The tester says he wants there should be no password aging set for root user

he wants min,max and warn attributes for root as NULL

Re: to set root password expiry as NULL

Dennis Handly — Fri, 20 Mar 2009 20:17:01 GMT

>there should be no password aging set for root user. he wants min, max and warn attributes for root as NULL

0 is/does the same thing.

Re: to set root password expiry as NULL

masood bt — Mon, 23 Mar 2009 13:39:38 GMT

getprpw and modprpw are the correct commands to check and modily the root user attributes on a trusted hp ux system