topic Re: Password aging in NIS in Operating System - HP-UX

Password aging in NIS

MarkSyder — Wed, 02 Mar 2005 10:26:00 GMT

Hi everybody.

I have been asked to set up password aging on our NIS system: minimum 1 day, maximum 60.

I've had a look at the manual pages and this seems easy to do on a stand-alone system using passwd, but there doesn't seem to be a similar facility for yppasswd.

The instructions I inherited tell me to insert 43 into the user's entry in the passwd file to set aging, but does this set the aging to what I want?

I also need to set the system to lock users out if they don't log in within the 60 day limit or after 6 unsuccessful password attempts.

Assistance will be rewarded with points.

Mark Syder (like the drink but spelt different)

Re: Password aging in NIS

Pete Randall — Wed, 02 Mar 2005 10:30:49 GMT

Mark,

The passwd command will interact with your NIS system (see man passwd). From the EXAMPLES section:

"Modify the minimum time between password changes of user1 to 7 days in the nisplus repository:

passwd -r nisplus -n 7 user1"

Pete

Re: Password aging in NIS

MarkSyder — Wed, 02 Mar 2005 10:38:37 GMT

passwd: illegal option -- r

Patching out of date? Or OS out of date (HP-UX 10.20)?

Mark

PS - thanks for the quick response!

Re: Password aging in NIS

Shannon Petry — Wed, 02 Mar 2005 10:38:41 GMT

The simple answer is that you can not do this(er.. all of what you are looking to do). NIS supports standard passwd mapping.

Standard passwd will support basic aging. What is not supported is account locking for unsuccessfull login attempts.

If you read the man pages for passwd, you can easily find out how to set up the aging context in passwd. You do not necessarily need to insert anything into a passwd file, the passwd command run on the server will handle the edits for you.

If your requirements can be satisfied with only the aging aspect, you should have no problem.

Locks on attempts are not supported in an NIS environment, because the client does not report to the server. (there is no reporting built into NIS).

NIS maps are shared, so the client reads the hash from the passwd map, and compares that locally to a hash created at login attempts.

If you need the locking ability, you have to look at a completely different authentication system. There are only 2 common systems for authentication that support reporting. Those would be NIS+ and LDAP.

I have similar requirements to yours, and have opted to use LDAP (and have been for 9 months).

Hope this helps.
Sincerely,
Shannon

Re: Password aging in NIS

A. Clay Stephenson — Wed, 02 Mar 2005 10:39:21 GMT

You will need to run this command on the NIS master:

passwd -x 60 -n 1 user.

I would do a ypcat passwd | awk -F ':' '{if (($3 + 0) >= 101) print $1}' | while read USER
do
passwd -x 60 -n 1 ${USER}
done

Now for the bad news. Under NIS you can't really set min to 1 day or max to 60 days because the granularity is one week. Your 1 day will be rounded up to 1 week (beginning each Thursday because 1-Jan-1970 was a Thursday) and your 60 days will be rounded up to 9 weeks.

Unless you write a custom login (which is the way I've done it under NIS in the past -- along with a custom yppasswd) your needs to lock out users can't be done. The NIS maps don't carry that data.

You need to look at either NIS+ (which will work with Trusted systems) or LDAP. LDAP is the better choice because NIS+ is going away.

Re: Password aging in NIS

A. Clay Stephenson — Wed, 02 Mar 2005 10:42:17 GMT

I forgot to say that after you run the poasswd comand on the NIS master, you then need to:
cd /var/yp
make

That will update/push the NIS maps.

Re: Password aging in NIS

MarkSyder — Wed, 02 Mar 2005 10:45:23 GMT

On the NIS server:

passwd -n 1 -x 60 mark

where mark is a test user I set up so I could experiment before doing this to a "real" user.

Error message: mark not in local password file

But I know this - I want to amend mark in the NIS password file!

Mark

Re: Password aging in NIS

john kingsley — Wed, 02 Mar 2005 11:47:43 GMT

I've configured password aging by hand. You can do this by editing the passwd file on the NIS master. Password aging information is added to the password hash:

user1:--hash---,abCC:uid:gid:....etc

A comma separates the encrypted password from the password aging information. The first character after the comma sets the number of weeks for which the password is valid. The second character after the comma is used to set the minimum number of weeks which much pass before the password can be changed. The last two characters after the comma define the number of weeks since the password was last changed. The weeks are counted from the beginning of 1970. The only thing tricky is that this data is specified using Base-64. So, valid characters are:
. = 0
/ = 1
0-9 = 2-11
A-Z = 12-37
a-z = 38-63

To test this, create an account:
user1:--hash---,7/eQ:uid:gid:....etc

This will set passwd aging for user1 to:
max password life(7)=63 days (9 weeks)
min password life(/)=7 days (1 week)
and password was last changed (eQ) Feb-24-2005.
You can verify this by running:
logins -x -l user1

With HPUX, aging can only be specified by weeks. So, you can't set the min life to 1 day. You would have to specify 0-days (0-weeks) or 7 days (1-week).

Re: Password aging in NIS

A. Clay Stephenson — Wed, 02 Mar 2005 11:56:39 GMT

Typically /etc/passwd is used as the source file for the NIS passwd map. In your case, they are different. Depending on your OS version, you can use a passwd -F file option to identify the alternate passwd file and then do a ypmake to update/push the maps.

Re: Password aging in NIS

MarkSyder — Fri, 11 Mar 2005 07:26:48 GMT

Excellent solution John - thanks. And thanks to everyone else for their suggestions.

Mark