topic Re: can't change an expired password account in Operating System - HP-UX

can't change an expired password account

Jonathan Caplette_1 — Mon, 19 Nov 2007 11:17:46 GMT

Hi guys,

I've got an HP-UX 11.11 box that is Trusted. I'm experiencing something weird today.

When a user that is password has experied tries to login, he is prompted for is Old password, then the system says Sorry. and ask again for the Password:

Your password has expired.
Changing password for jcaplett
Old password:
Sorry.

Password:
Changing password for jcaplett
Old password:
Sorry.

Password:

It just don't stop looping and asking for Old password... I tried this with my account, and I'm positively sure that I type correctly my password. The account is not disable, neither locked...

Any idea on what can cause that?

Regards
Jonathan

Re: can't change an expired password account

A. Clay Stephenson — Mon, 19 Nov 2007 11:25:05 GMT

Execute "/usr/lbin/getprpw -m lockout user" and note the position of each '1' in this 7 character string. Next do a man getprpw and pay attention to the "lockout" section. That will identify exactly which condition is triggering your lockout. I suspect that all passwords have been expired. You can clear this condition by executing "/usr/lbin/modprpw -k user". Note: If all account have been expired, you will need to bring the box up in single-user and then mount /usr to fix this.

Re: can't change an expired password account

A. Clay Stephenson — Mon, 19 Nov 2007 11:26:07 GMT

By the way, you can also execute /sbin/passwd as it doesn't do the checking that /usr/bin/passwd does.

Re: can't change an expired password account

Jonathan Caplette_1 — Mon, 19 Nov 2007 11:35:23 GMT

The problem is that the accounts aren't locked...

# /usr/lbin/getprpw -m lockout jcaplett
lockout=0000000

Re: can't change an expired password account

A. Clay Stephenson — Mon, 19 Nov 2007 12:10:51 GMT

Ok, do this:

/usr/lbin/getprpw user

and then cat /tcb/files/auth/system/default.

You may have a system-wide default that is killing you.

Re: can't change an expired password account

Jonathan Caplette_1 — Mon, 19 Nov 2007 13:04:23 GMT

Here it is...

# /usr/lbin/getprpw jcaplett
uid=109, bootpw=NO, audid=21, audflg=1, mintm=2, maxpwln=-1, exptm=45, lftm=90, spwchg=Wed Dec 31 19:00:00 1969, upwchg=Mon Nov 19 10:47:26 2007, acctexp=-1, llog=90, expwarn=14, usrpick=DFT, syspnpw=NO, rstrpw=YES, nullpw=DFT, admnum=-1, syschpw=NO, sysltpw=DFT, timeod=-1, slogint=Mon Nov 19 10:46:51 2007, ulogint=Mon Nov 19 10:47:26 2007, sloginy=console, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000

# cat /tcb/files/auth/system/default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#15:u_exp#0:u_life#0:\
:u_llogin#0:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#3:\
:u_lock:\
:t_logdelay#2:t_maxtries#3:t_login_timeout#60:\
:chkent:

Re: can't change an expired password account

A. Clay Stephenson — Mon, 19 Nov 2007 13:34:02 GMT

Note this entry:

spwchg=Wed Dec 31 19:00:00 1969

When adjusted for your timesone that is 1-Jan-1970 00:00:00 UTC (the zero epoch second) and it means change the password at the first login. In effect, passwd -f has been run on all users. There is no facility in modprpw to set the spwchg field (time of last sucessfull password change) although the putprpwnam() function can be used to set it or you could write some Perl, sed, or awk to edit the /tcb entry for each user to substitute a more recent password change timestamp.

Re: can't change an expired password account

Jonathan Caplette_1 — Mon, 19 Nov 2007 13:42:02 GMT

OK I see...

Is this happened only on users that have there password expired?

And will this happen evrey time change that we have? Last time change have been done on November 4th 2007..

Jonathan

Re: can't change an expired password account

A. Clay Stephenson — Mon, 19 Nov 2007 16:07:56 GMT

No time changes have nothing to do with this. The /tcb database stores all times in epoch seconds which are timezone insensitive. I suspect this happened as a side-effect of converting your system to Trusted or you ran a script which did a passwd -f for all users.

Re: can't change an expired password account

Jonathan Caplette_1 — Tue, 20 Nov 2007 14:15:38 GMT

Unfortunaly I'm not a Perl expert... Any way I can change that value without using perl?

Re: can't change an expired password account

A. Clay Stephenson — Tue, 20 Nov 2007 15:31:29 GMT

Notice a gave you a C/C++, Perl, sed, or awk option so I can probably surmise that you aren't an expert in any of those as well.

The attached, UNTESTED shell script should work. The step that copies the temporary file back to the tcb file is intentionally commented out. Uncomment it after you are satisfied.

Before doing anything else be logged in as root in at least two sessions so that you can get yourself out of trouble almost as fast as you got yourself in.

Next:
cd /
find ./tcb -print | cpio -ocv > /aaa/bbb/tcb.cpio # a backup of the tcb database

To run the script, simply "fixit.sh". It will look for all UID's >= 101 and then edit each tcb file saving it to a temporary file. When uncommented the temporary file is copied to the original for each user with a current timestamp.

Re: can't change an expired password account

Jonathan Caplette_1 — Tue, 20 Nov 2007 16:16:02 GMT

Thanks it work fine...

I now have to look why that date have been changed...

regards
Jonathan

now closing this tread

Re: can't change an expired password account

Jonathan Caplette_1 — Tue, 20 Nov 2007 16:30:58 GMT

closed

Re: can't change an expired password account

F Verschuren — Wed, 28 Nov 2007 16:52:34 GMT

changing spwchg can be done by:
/usr/lbin/modprpw -v [username]