topic Re: Disable password aging. in Operating System - HP-UX

Disable password aging.

Sam Lalonde — Thu, 08 May 2003 15:29:32 GMT

Is there a way (outside of sam) to disable password aging. I want no longer want this account to have password aging policies. This is not a trusted system.

Re: Disable password aging.

Stefan Farrelly — Thu, 08 May 2003 15:51:35 GMT

passwd -x

where max is the number of days before it is expired. Set to the largest value allowed; 441

Re: Disable password aging.

Ron Jobke_1 — Thu, 08 May 2003 15:55:28 GMT

You can disable password aging for single accounts by editing /etc/passwd and removing from the comma and character between the next ":" in the password field. (jdoe:XXXXX:,Y:) In this case remove ",Y".

Re: Disable password aging.

S.K. Chan — Thu, 08 May 2003 15:58:08 GMT

You can also edit the password file and remove the characters the define the password aging period in the encrypted password field.
# vipw
..to edit the password file.
Example ..
skchan:djfghsDipBwQA,O28P: ..
would become
skchan:djfghsDipBwQA: ...

Re: Disable password aging.

Sam Lalonde — Thu, 08 May 2003 16:27:40 GMT

I have 20 accounts on each of 40 servers. I was looking for a way to do it on the command line so I can script something.

Re: Disable password aging.

Uday_S_Ankolekar — Thu, 08 May 2003 16:50:39 GMT

#passwd -n 0 -x 0 username This can be done on a non-trusted system

-USA..

Re: Disable password aging.

Uday_S_Ankolekar — Thu, 08 May 2003 16:52:45 GMT

I hit submit too fast..
The above method force user to change his password during next login.

If this is not OK then use the method given Chan by editing /etc/passwd file

Re: Disable password aging.

John Meissner — Thu, 08 May 2003 17:24:03 GMT

this script should point you in the right direction:

#! /usr/bin/ksh
cat /etc/passwd |
while read line
do
echo $line | sed 's/,?*:/:/g' >> passwd.new
done

#end of script

now after you have finished this you could just copy the passwd.new into /etc/passwd
NOTE: you may wish to backup the /etc/passwd file prior to overwritting it.

Re: Disable password aging.

A. Clay Stephenson — Thu, 08 May 2003 17:26:11 GMT

This should do it for you:

#!/usr/bin/sh

TDIR=${TMPDIR:-/var/tmp}
PID=${$}
A1=${TDIR}/A${PID}_1.awk

INFILE=/etc/passwd

cat << !EOF! > ${A1}
{
n = split(\$0,aray,":")
if (n >= 2)
{
n2 = split(aray[2],bray,",");
if (n2 > 1) aray[2] = bray[1]
i = 1
while (i < n)
{
printf("%s:",aray[i])
++i
}
printf("%s\n",aray[i])
}
else printf("%s\n",\$0)
}

!EOF!

awk -f ${A1} < ${INFILE}
STAT=${?}
rm -f ${A1}
exit ${STAT}

----------------------------

It will read /etc/passwd and write the updated version on stdout. You can them copy the updated version to /etc/passwd. If you are running NIS, then change the input from awk < ${INFILE} to ypcat passwd | awk.

Anytime you do something like this, I suggest that 1) you make a backup copy of /etc/passwd 2) you are logged in as root in two sessions.

If you follow these rules, you can always get yourself out of trouble almost as fast as you got yourself in.

Re: Disable password aging.

John Meissner — Thu, 08 May 2003 17:31:45 GMT

Clay - you always find a more complicated (but probably better) way do do things :)

Great recommendation about having 2 login sessions.... that way if the one craps out and /etc/passwd is broken the second window is already loged on and able to fix things

Re: Disable password aging.

S.K. Chan — Thu, 08 May 2003 17:32:36 GMT

This should work .. I'm doing this in command line .. you can script this and run it on each server. Assuming you got all the 20 usernames in a file "fileA" in /tmp.
# cd /etc
# cp passwd passwd.org
# for i in `cat /tmp/fileA`
> do
> passwd -x 0 $i
> done
Afetrwards you should see that the first char after the comma should be set to ".", example ..
Before
skchan:XXX,022P:
After
skchan:XXX,.2AP:
Ignore the last 2 chars (ie A and P) because that denotes when the password is last changed. The first 2 chars ( ie . and 2) means represent..
. = 0 weeks (max num of weeks the password is valid)
2 = 4 weeks (min num of weeks that has to pass before the password can be changed). After this change the password should not expire, the first char will remain as "." even though the user change his/her password. Test it first .. I hope I'm not wrong.