topic Re: Sam "pasword aging" and Trusted default password aging setting in Operating System - HP-UX

Sam "pasword aging" and Trusted default password aging setting

frank jordan_1 — Mon, 17 Jul 2006 13:20:46 GMT

Hello,
My questions is why when creating an new user account thru SAM on a trusted system, the /tcb/files/auth/system/default setting are not applied to the newly created user. The user values are all "-1" see below;
upwchg=-1, acctexp=-1, llog=-1, expwarn=-1,

Re: Sam "pasword aging" and Trusted default password aging setting

A. Clay Stephenson — Mon, 17 Jul 2006 13:43:22 GMT

Because you are reading something into the values that is not there. When the users' personal values are left undefined then the system default values are used. If you look at the underlying getprpwent() - see the man page -- you will find that the user's values and the system-wide value are retrieved for each user and there are flags to indicate whether the user's value or the system-wide value is in use for any given field. Man modprpw and look under the -m option.

Re: Sam "pasword aging" and Trusted default password aging setting

Steven E. Protter — Mon, 17 Jul 2006 13:55:02 GMT

Shalom,

Okay you are using sam to create users. I don't agree with the approach, but it is your system.

Default settings are right in the same section of sam.

You set them to what you want in the gui.

right now the settings you display show no expiration warning, pretty much no optional settings.

Password aging was set by default on my 11.11 systems in the US to 90 days.

This you control however with the global or systems setting on sam.

You can set defaults and password complexity in the /etc/defaults/security section of your system.

SEP

Re: Sam "pasword aging" and Trusted default password aging setting

frank jordan_1 — Mon, 17 Jul 2006 15:15:25 GMT

The Sam values are the same as the Trusted system values. What I do not understand is, why when listing the user login values by
(getprpw "username") the values listed are not the same as the Trusted system values and or the SAM values. Also, the Trusted or Sam system defaults value are not enforced by the system. Example; expwarm default value is (5 days) and there are no advance warnings of password expiration. The only operation to apply the values is in SAM menu "Modify Security Policies" and changing the "password aging policy" from "Default (enable)" to "enable". Only then the vaules are listed for the user
Thanks

Thanks

Re: Sam "pasword aging" and Trusted default password aging setting

Darren Prior — Tue, 18 Jul 2006 03:55:32 GMT

Hi Frank,

getprpw is a command designed for use within SAM - it's only relatively recently that it has been documented for public use. The values that it returns are the user's values, so SAM would also check for the system defaults and determine if they should also be applied.

If you edit the Security Policies within SAM for a particular user you are overriding the default, hence it will appear in the user's tcb file which is what getprpw is reading.

How are you testing the expwarn settings?

regards,

Darren.

Re: Sam "pasword aging" and Trusted default password aging setting

IT Response — Fri, 20 Apr 2007 11:17:02 GMT

same issue, SAM is not inheriting the u_life and expiration for password from the default file.
running 11.23
example:
/usr/lbin/getprpw sancho
uid=109, bootpw=NO, audid=35, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=-1, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Fri Apr 20 12:04:09 2007, ulogint=-1, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000001

although the default file is:
more /tcb/files/auth/system/default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#15724800:u_life#16934400:\
:u_pw_expire_warning#604800:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:

and that is creating the account using useradd not SAM