topic Re: Password Expiration in Operating System - HP-UX

Password Expiration

Global Server Operation — Wed, 24 Apr 2002 14:19:15 GMT

I have a N4000 server running 11.i in a trusted host environment. Password aging is set to 90 days and users are having trouble creating new password. They get the password expiration message but when they are asked to enter their old password to create a new password the system says "sorry password not found" or "Login aborted due to no password" errors?

Any suggestions to resolve this problem will be very helpful.

Re: Password Expiration

Craig Rants — Wed, 24 Apr 2002 14:22:43 GMT

Run authck -p, see what that output says, possibly there is a problem with the protected password database.

C

Re: Password Expiration

S.K. Chan — Wed, 24 Apr 2002 14:28:04 GMT

If the got more than 8 chars in the "old" password, ask him to just entered the first 8 chars.

Re: Password Expiration

Uday_S_Ankolekar — Wed, 24 Apr 2002 14:28:55 GMT

Hi,

It looks like password database is corrupted as Craig mentioned. If nothing works try converting server to untrusted and then try trusting it again.

/usr/lbin/tsconvert -r will unconvert the server

/usr/lbin/tsconvert -c to convert it back.

-Goodluck
-USA..

Re: Password Expiration

Global Server Operation — Wed, 24 Apr 2002 14:40:48 GMT

I tried the authck -p and I get nothing back.

Re: Password Expiration

Global Server Operation — Wed, 24 Apr 2002 14:43:25 GMT

I also unconverted and converted the trusted host. The only thing I can't confirm right now is if the users who are experiencing the problem have passwords longer than 8 characters. If this is the case with passwords more thatn 8 characters, could this be the problem?

Re: Password Expiration

Global Server Operation — Wed, 24 Apr 2002 14:43:39 GMT

Re: Password Expiration

David Burgess — Wed, 24 Apr 2002 14:48:06 GMT

Can root change the users passwords?
passwd
passwd -f will force the user to change their password on next login.

If root can login surely the database isn't corrupt?

Regards,

Dave.

Re: Password Expiration

S.K. Chan — Wed, 24 Apr 2002 14:53:24 GMT

The reason why I suggest the "8 char" thing is that if the user has had the password unchanged since the system was untrusted till now, which is trusted, then the way password encryption works on a trusted and untrusted environment differs. Since trusted system has capability to encrypt more than 8 chars, trying to change the password which was encrypted in an untrusted system will result in a mis-match. This is ONLY true if say userA had a more than 8 char password when the system was untrusted, and now when the system went to trusted, userA wants to change the password. Am I making any sense ?

Re: Password Expiration

Global Server Operation — Wed, 24 Apr 2002 14:57:49 GMT

Root is allowed to change the password and persons we have given su priviledges to are allowed to change the password.

Re: Password Expiration

David Burgess — Wed, 24 Apr 2002 15:11:14 GMT

Therefore if you change a users password to less than 8 characters and force them to change it on login, can they then change their password?

Dave.

Re: Password Expiration

Global Server Operation — Wed, 24 Apr 2002 15:22:36 GMT

I'm waiting from feedback from the customer regarding the number of characters in the old passwords and the new passwords that have been created in a trusted host. I do know that when a customer called in yesterday with the same problem, another system administrator was able to change a user's password which was a 9 character password and create a new password containing 9 characters.

From the previous response, I'm assuming that since the password change was done in a trusted environment we should not have the same problem 90 days from now when the system will expire the user's password.

The situation before was that the users password was created in a non- trusted enviroment and then the system was converted to trusted a few weeks later.

Re: Password Expiration

Craig Rants — Wed, 24 Apr 2002 15:29:02 GMT

To test this out I would do the following

cd /tcb/files/auth/

then vi a users file lets sa s/sj1234

replace the hash between = and : i.e.. :u_pwd=rurCWlXw1t7jg:\ with
:u_pwd=:
Then have them try changing their password then. What this does is to wipe out the old password, so their if it is 9 char that won't come into play, they then will have to enter a 8 char password with a special character.

C

Re: Password Expiration

pap — Wed, 24 Apr 2002 17:56:12 GMT

Hi,
Root can always changes password for asll users.

just su to user and change the password for that user.

else you can edit
/tcb/files/auth/*/username

wheere * is the username's first letter and username is loginid for perticular user.

remove the encrypted password string from this file and change the password.

You can do one thing,

just unconvert the trusted system to normal and clear password filed from /etc/passwd file for all the users , then ask users to enter password they wish.

Thanks,
-pap

Re: Password Expiration

Global Server Operation — Sun, 28 Apr 2002 14:31:16 GMT

In regards to the reply from S.K.Chan, does the mis match of encrypted password files from untrusted and trusted systems apply to all users or just the users that have more than eight characters in their passwords.

Re: Password Expiration

S.K. Chan — Sun, 28 Apr 2002 14:36:16 GMT

Hi, this only affect users that had more than 8 characters password before the system was converted to trusted.

Re: Password Expiration

Niraj Kumar Verma — Mon, 29 Apr 2002 02:36:18 GMT

Hi,

Here is my practical experience,

I was also trying to change the password for an user using the following
==============================
$ /sbin/passwd
Changing password for niraj
Invalid login name.
==============================
Then I tried

=============================
$ /usr/bin/passwd niraj
Changing password for niraj
Old NIS password:
New password:

==============================

ANd it worked !!!! ::)

After this I tried
$ which passwd
/sbin/passwd

I change my search path and it is working fine. you can also try with /usr/bin/passwd

-Niraj