topic Forcing password change in Operating System - HP-UX

Forcing password change

Mark Parsons — Tue, 16 Apr 2019 15:53:45 GMT

Hi,

We have recently been told to increase the number of characters in our passwords to 14. This we can easily do by amending the MIN_PASSWORD_LENGTH value in /etc/default/security.

However this doesnt enforce the change until the user manually changes their password having logged in with the previous 8 character password..

Is there a setting that will enforce ALL users to change their password accordingly on their next login? I know this can be done for individual users via passwd -f "username" but is there a way of setting it for all?

Release is HPUX 11.31.

Many thanks.

Re: Forcing password change

Bill Hassell — Wed, 17 Apr 2019 00:52:23 GMT

Yes there is a single command and option to expire every entry in /etc/passwd.

HOWEVER, this is *every* entry in the passwd file including subsystems like SAMBA shares, webadmin, www, sfmdb, tftp, oracle, sybase, etc. Now may of these entries may not actually login but serve as an owner for files, etc. Automated logins for file transfers and other remote access will break. So if you force every entry in the passwd file to require a mandatory passwd change, a lot of unexpected things will happen.

So the command is: /usr/lbin/modprpw -E <<<--- DON'T USE IT

Instead, use /usr/lbin/modprpw -e user-name

Then specify a specific user to expire. Then repeat with the other users on the system.

If you have a lot of users, you'll need to do a lot of typing or use a script.

And if the auditors demand every password must change, be sure to schedule downtime to solve system issues.
This will be required because no one remembers the password for certain automated accounts.

Finally: the man page is very poor in documenting the effectiveness of the MIN_PASSWORD_LENGTH setting. It works for Trusted systems but there are other security services besides Trusted. Try the MIN_PASSWORD_LENGTH for a test user to see if it works.

Re: Forcing password change

Mani_Np — Wed, 17 Apr 2019 06:33:02 GMT

Hello,

Bill's suggestion looks apt for your environment.

Else you may try to convert system to trusted and change the required parameters.

Re: Forcing password change

Mark Parsons — Wed, 17 Apr 2019 12:09:05 GMT

Hi,

The server concerned is trusted anyway.

I have run the following on the server as root:

passwd -f user-id

and also

/usr/lbin/modprpw -e user-id

Neither of them seem to work - the user-id concerned does not get asked to change the password on the next login!

(The only thing I can think of is the passwd and/or modprpw isnt taking effect because the root account that is using them has been gained by sudo from the actual user-id concerned)