topic Re: password expiry date in hp unix. in Operating System - HP-UX

password expiry date in hp unix.

krissh89 — Tue, 03 Mar 2015 02:18:56 GMT

OS version :HPUX 11i v3

system is trusted.

How can I find the password expiry date for a user in hp UX11i v3 under trusted system.

When I run

#passwd -sa

krish345 PS ---- > I can't see password aging.

When I run

#getprpw -l krish345

uid=655, bootpw=NO, audid=289, audflg=1, mintm=-1, maxpwln=8, exptm=-1, lftm=-1, spwchg=Thu Feb 26 07:49:25 2015, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Mon Mar 2 14:19:13 2015, ulogint=-1, sloginy=-1, culogin=0, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000

All values are set to -1, What does -1 refer to.

-1 says that there is no password aging ?

When i run

#cat /etc/default/security | grep -v "#"

PASSWORD_MIN_DIGIT_CHARS=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=3

Nothing is defined at /etc/default/security.

How can I find password expiry from all the above 3 outputs.

Regards

krissh

P.S. This thread has been moevd from HP-UX > System Administration to HP-UX > security. - Hp Forum Moderator

Re: password expiry date in hp unix.

Bill Hassell — Tue, 03 Mar 2015 03:02:47 GMT

Yes, the -1 means the feature is not set.

The security file and other security settings in HP-UX have been very fragmented and poorly documented. I created a sample security file based on various docs and some testing. The settings in the security man page are not active if they are not actually set in the security file. Another very bizarre feature is that the "#" character cancels the entire line no matter where it appears. So the common technique to add comments at the end of a valid line will (silently) cancel the setting.

(this is one of two very unexpected behaviors in a settings file, namely /etc/syslog.conf where *ANY* space anywhere on the line cancels the line's directive, only tabs are allowed)

Here is an example security file. It can be used in any version of HP-UX from 11.00 and later, but settings that do not apply for theHP-UX version, patches and security level are ignored.

#####################################################################
#####################################################################
##                                                                 ##
##  Security file: /etc/default/security -- 11.00 and higher only  ##
##                                                                 ##
#####################################################################
#####################################################################

# Note: the contents of the security file settings are version
#       specific.  See the man page: man security

# Comments (#) allowed separate lines, but a trailing
#    or imbedded # will also disable the setting
#    (just like syslog.conf with spaces)

# Access controls (11.0 and higher)
###########################################################

# NOLOGIN=1 will enable the no logins allowed policy.
# NOTE: This attribute only applies to the applications
# that use session management services provided by
# pam_hpsec(5) as configured in /etc/pam.conf, or
# those services that indirectly invoke the
# login(1) command.
#
# This prevents *ANY* non-root user from logging in when the file
#   /etc/nologin
# exists.  This file can be anything (including null) but will
# be displayed before auto-logoff. Typically, a message about
# system maintenance is stored there:
#
# SYSTEM ABC IS DOWN FOR MAINTENENCE, BACK at 11am
#
# Remove the file for normal logins.

NOLOGIN=1

# Number of logins allowed for each user (0=unlimited)
NUMBER_OF_LOGINS_ALLOWED=0

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Standard and Shadow modes only: Enable or
# disable the display of the last successful
# and unsuccessful login at the next login.
# (1=enable, 0=disable)

DISPLAY_LAST_LOGIN=1

# Standard and Shadow modes only: Expire non
# root local accounts that have had no logins
# for the specified number of days. If zero,
# inactive accounts are not expired.

INACTIVITY_MAXDAYS=0

# Standard and Shadow modes only: Allow
# logins only during specified time periods.
# LOGIN_TIMES=Any


# Single user mode authorization (11i and non-trusted only)
###########################################################
# Requires root password to get into single user mode (CAREFUL)
#     BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
#     BOOT_USERS=bill,jane,joe

# Password controls - Trusted Systems only
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

PASSWORD_MAXDAYS=120
PASSWORD_MINDAYS=7
PASSWORD_WARNDAYS=7

# Session controls
##################


# Default umask value upon login. Note: This
# attribute controls umask(2) of all sessions
# initiated via pam_unix(5) and/or pam_hpsec(5).
# Must have a leading zero to denote octal.

UMASK=0022

## su default values:
## SU_ROOT_GROUP=suroot
## SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
## SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD

Re: password expiry date in hp unix.

krissh89 — Tue, 03 Mar 2015 05:42:04 GMT

From your comment I understand that if value is -1 then password aging is not set which means the password will never expire.

Then why we are setting lftm, exptm, mintm, expwarn to zero to make password never expire.

Then what is the difference between -1 and 0.

Re: password expiry date in hp unix.

Bill Hassell — Wed, 04 Mar 2015 02:01:57 GMT

The man page for getprpw defined the numeric values:

Numeric values are specified as positive numbers, 0, or -1.  A  value of -1 indicates that the field has not been assigned a value in the database.

So -1 means that there is no value has been assigned and therefore default behavior is effective. 0 means the value is explicitly set to not take effect, and positive numbers indicate the numeric value for the setting such as days to warn for a password expiration.

Re: password expiry date in hp unix.

Per Christensen_1 — Wed, 04 Mar 2015 08:48:58 GMT

You can use "secweb" command to see the default settings.

Can also be found in /tcb/files/auth/system/default but then you have to calculate yourself, as values are listed in seconds.

u_exp#2592000 = 30 days ( 2592000 / 86400 )

Cheers,

Per

Re: password expiry date in hp unix.

KathyL1 — Tue, 11 Aug 2015 03:57:19 GMT

The following script will print the password expiry date for an individual user on a Trusted System:

#!/usr/bin/sh

# Has the system been converted to Trusted Mode?
TCB_DIR=/tcb/files/auth/
if [ ! -d $TCB_DIR ]
then
    echo "\n\nSystem has not been converted to Trusted Mode\n\n"
    exit
fi

USER=$1
TCB_FILE=$TCB_DIR/`echo $USER | cut -c1`/$USER

# Is there a password file for this user?
if [ ! -f $TCB_FILE ]
then
    echo "\n\nThe password file $TCB_FILE does not exist for $USER\n\n"
    exit
fi

DEFAULT_EXPIRY=`grep u_exp $TCB_DIR/system/default | awk -F'#' '{print $4}' | cut -d ':' -f1`
USER_CHANGED=`grep u_succhg $TCB_FILE | awk -F'#' '{print $2}' | cut -d ':' -f1`
USER_EXPIRY_TICKS=`expr $DEFAULT_EXPIRY + $USER_CHANGED`
echo "\nPassword for user \"$USER\" expires on: " `perl -MPOSIX -e "print strftime \"%d-%b-%y %H:%M:%S\n\",localtime($USER_EXPIRY_TICKS)"`

Re: password expiry date in hp unix.

chindi — Thu, 16 Jul 2015 11:26:16 GMT

Hi ,

When am using above script am not able to get valid dates , i mean its showing earlier dates .

Re: password expiry date in hp unix.

KathyL1 — Tue, 11 Aug 2015 03:58:59 GMT

Apologies - I made a typo in my original post.

I've updated it with the correct information (and added some additional tests).

Re: password expiry date in hp unix.

chindi — Tue, 11 Aug 2015 06:36:37 GMT

Thanks a ton.

Its working now.