topic Re: User Password in Operating System - HP-UX

User Password

Jacqueline Nguyen — Thu, 28 Mar 2002 16:51:15 GMT

I run the following command to check the user password expiration date but no success. Can anyone give me hints on how to set up the date while changing the password of any user. Thanks in advance.
#logins -x -l jackien
jackien 375 cmsi 201 Jackie Nguyen
/disk1/ACCT
/bin/sh
PS 000000 -1 -1 -1

The last line shown no date, no time change and no expiration days.
Please advise. Thanks.

Re: User Password

MARTINACHE — Thu, 28 Mar 2002 16:56:04 GMT

Hi,

try getprpw comnnand :

getprpw -l your_user

regards,

Patrice

Re: User Password

MARTINACHE — Thu, 28 Mar 2002 16:58:16 GMT

getprpw is under /usr/lbin/

Re: User Password

H.Merijn Brand (procura — Thu, 28 Mar 2002 17:00:54 GMT

getprpw only works on a trusted system

Re: User Password

Jacqueline Nguyen — Thu, 28 Mar 2002 17:11:54 GMT

Patrice,
Thanks for the quick response.
I have K360 box and run under 10.20 version. I access the command 'getptpw -l jackien' and the systems gives me an error 'sh: getprpw : not found'.
I look up under /usr/lbin and found the command. Then I type 'man getprpw' with no success (No manual entry for getprpw).
What's else should I do. Thanks.

Re: User Password

Kelli Ward — Thu, 28 Mar 2002 18:33:39 GMT

I should know this, but can't think of a command off the top of my head.
But, looking at the encrypted password in the /etc/passwd file (non-trusted) will tell you password expiration. man passwd for detail on decoding. Assuming password aging is enabled on your system. (You'll see what I mean when you read the passwd man page if this is unfamiliar.)
Best O' luck
Kel

Re: User Password

Darrell Allen — Thu, 28 Mar 2002 19:16:04 GMT

Hi Jackie,

I'm not sure this is exactly what you want...

A superuser can use the passwd command to specify the minimum number of days between password changes (-n min) and the maximum number of days a password can remain unchanged (-x max). For example:
passwd -n 7 -x 56 jackien

That sets the minumum days for a password to 7 and the maximum to 56.

That can also be done thru SAM when you set up a new user or you can modify an existing user.

From your example it looks like these settings are not applied to jackien's account. Do this:
awk -F: '/jackien/ {print $2}' /etc/passwd

The first 13 characters you get from this awk command are the hashed password. The following 5 characters (the first being a comma) are the password aging parameters. If missing, then password aging isn't set.

Try the above passwd command to set the desired password aging parameters and then check the output of your logins command.

Darrell

Re: User Password

Jacqueline Nguyen — Thu, 28 Mar 2002 19:39:06 GMT

Kelli, Thanks for the info.
Darrell, I ran those commands and all my user password aging never been set. Based on the man entry 'passwd(1)', I can change the aging date,etc. However, I have 500 users on the system, is there anyway that I modify passwd aging to all at once instead of each individual.

Any help is appreciated. Thanks a lot. Jackie

Re: User Password

Giri Sekar. — Thu, 28 Mar 2002 19:49:29 GMT

Hi:

Please check if you are running NIS. If so then you have to mention a repository to the passwd -x option. Are you in NIS environment?

Thanks
Giri Sekar.

Re: User Password

Darrell Allen — Thu, 28 Mar 2002 20:03:35 GMT

How about this if it's okay to set them all to the same min and max days...

Get a list of loginids:
awk -F: '{print $1}' /etc/passwd >/tmp/loginids

Edit /tmp/loginids and delete the ones you don't want to set aging for (ie root, sys, etc...)

Set them all:
while read id
do
passwd -n 7 -x 56 $id
done
That's it. Change the number of days to suit.

Just in case there's a problem, make a backup copy of /etc/passwd first and be sure you are logged in as root on a couple of sessions. You can run pwck afterwards (probably a good idea to run it first as well). You should also be sure you can login from a new session before logging out of all the other root sessions.

Darrell

Re: User Password

Darrell Allen — Thu, 28 Mar 2002 20:08:43 GMT

Giri's comment prompts me to say that my suggestion is for local password files only. NIS would be a different thing. Also, modifying /etc/passwd doesn't apply if you have converted to a trusted system.

Darrell

Re: User Password

Sandip Ghosh — Thu, 28 Mar 2002 20:17:10 GMT

First you do one by the passwd -x command. Then go to the /etc/passwd file. If you look at the encrypted passwd portion , you will see the passwd what you have changed through -x has something after ",". Copy the total thing including "," after each encrypted passwd through vi. It should work.

Sandip

Re: User Password

Jacqueline Nguyen — Thu, 28 Mar 2002 20:32:49 GMT

Thank you for pouring me a lot of info. I am fairly new in the System Admin role and I don't want to make any mistake. What's is NIS environment and what is trusted system and untrusted system. How can I check what my system runs under which environment.

Thanks a lot for all your help.

Re: User Password

Darrell Allen — Thu, 28 Mar 2002 21:34:06 GMT

Hi again,

HPUX's concept called "trusted system" is simply a higher level of system security. It utilizes a Trusted Computing Base (tcb) database. Of primary concern is moving the hashed passwords out of /etc/passwd an into files in the tcb.

"/usr/lbin/getprdef" will tell you if your system is trusted or not. Two other indications of running a trusted system are:
1 - the presence of /tcb directory structure
2 - the password field of all entries in /etc/passwd have 1 character (an "*")

NIS is Network Information Service. It is primarily used in larger environments where syncronizing user accounts, passwords, even hosts tables on dozens or even hundreds of systems is desired. You have one server with 500 accounts. Imagine 100 servers with 500 accounts.

To see if you are using NIS do:
grep NIS /etc/rc.config.d/namesvrs

As usual for variables in /etc/rc.config.d files, 0 = no and 1 = yes

Darrell

Re: User Password

Jacqueline Nguyen — Thu, 28 Mar 2002 23:05:26 GMT

Darell,
Based on your instructions, I checked my system and it is not trusted. It is not running under NIS also. I am happy that I have learned new things today.

Hi everyone,
Thank you for all your help. I will continue to experiment the passwd aging process this week end.
Best regards,
Jackie