topic Re: Unknown password characters in Operating System - HP-UX

Unknown password characters

John Patrick_2 — Mon, 01 Aug 2005 11:09:24 GMT

I am looking for some guidance regarding encrypted passwords on an HP-UX Unix system. In an /etc/passwd file, does the character combination “,..” represent a disabling password much like “*” or is it a default? This password occurs numerous times in the passwd file, mainly for non-system logins.

An example entry would be:

uuser:,..:376:20:Anon User:/users/uuser:/usr/bin/ksh

Any help would be much appreciated. Thanks.

Re: Unknown password characters

John Patrick_2 — Mon, 01 Aug 2005 11:11:13 GMT

Sorry, is a formatting error.

The encrypted password I'm looking at is: ,..

Re: Unknown password characters

RAC_1 — Mon, 01 Aug 2005 11:20:48 GMT

passwd -s "user_name"
or
passwd -a

Should give you details about if account is locked or not. No need to look at what encrypted password look like.

In trusted environment, in addition to above commands, you can also use getprpw -m lockout "user_name" Read man pages for details.

Anil

Re: Unknown password characters

Mel Burslan — Mon, 01 Aug 2005 11:21:07 GMT

,.. in the encrypted password field means that the user, when logs in the first time, is not required to enter a password but should pick a new password upon first login.

And it worked for untrusted systems but when I tried it on trusted system, it does not seem to work. To have the same effect on trusted systems, password should be blanked out toatlly.

Hope this helps

Re: Unknown password characters

DCE — Mon, 01 Aug 2005 11:27:22 GMT

the ,.. is for password aging. It represents the number of days left before the password expires

Re: Unknown password characters

Steven E. Protter — Mon, 01 Aug 2005 11:27:24 GMT

passwd -sa provides a complete report.

pwck

# checks the passwd file

grpck

# checks the group file

Some errors for the Samba user are okay.

SEP

Re: Unknown password characters

A. Clay Stephenson — Mon, 01 Aug 2005 12:03:55 GMT

Actually, any passwd hash that is not exactly 13 characters long or 0 chars long in the case of the null password is invalid. By convention, the '*' (asterisk) is used to lock an account on untrusted systems but any other non-13 character hash would also serve to lock the account on an untrusted system.

Re: Unknown password characters

generic_1 — Mon, 01 Aug 2005 12:10:38 GMT

You may want to consider going to trusted. It is more secure. It will give you more controll over your accounts as well.

The encrypted password is kept in /tcb/files/auth/r/root for root example

/usr/lbin/getprpw root
would show if root is locked by alooking at the alock= field anything but all 0s is locked. Each digin represents a place holder for why the account was locked which is pretty cool too.

Re: Unknown password characters

Bill Hassell — Mon, 01 Aug 2005 17:28:02 GMT

AS mentioned, the password field contents very much depend on whether you have a standard, a Trusted, or a shadow password system. Starting with a standard system, the comma , means beginning of password aging. The two periods .. as the only characters represents immediate expiration. SO if the passwd file has this:

billh:,..:100:20:Bill Hassell,IT Dept,x148...

Then when I login as billh, no password is required (there is nothing in front of the comma) and the login program will ask me to pick a new password.

If there is anything in front of the comma, it must be exactly 13 characters. Anything less and *NO* password will match that string, this the account is unusable. By convention, a * is often used to 'lock' an account although it just means you can't login ever, until a valid encrypted password string is put in front of the comma.

And note that the comma is optional. If present, the characters following the comma are defined in the man page for passwd(4) (hint: man 4 passwd). These 4 characters define the expiration and renewal days.

Now forget all of that for a Trusted system. The passwd file will have 100% * characters in every account and the password aging is now stored in the TCB database.