topic Re: User Password in Operating System - HP-UX

User Password

Raghuram Ollakal_1 — Wed, 11 Sep 2002 13:40:39 GMT

I would like to know whether there is a way, that user can???t change the password. We have a general user ID for a group of users using, recently when one user login it prompted it is time to change the password, so the user went ahead and change the password, but never bother to let other user regarding the password change. So we are trying to find a way to avoid this happening again.

Re: User Password

Rodney Hills — Wed, 11 Sep 2002 13:42:41 GMT

You could change the permissions on /usr/bin/passwd so that only root can execute it.

chmod 700 /usr/bin/passwd

Then nobody can execute it.

-- Rod Hills

Re: User Password

S.K. Chan — Wed, 11 Sep 2002 13:47:18 GMT

Typically it that scenario you would not want to age the password. If you age it, when it expire the user will be prompted to change the password. This "shared" account (I would call it) can be handled separately. For example the password will only be changed once every 6 months by a system administrator and get communicated to everyone. Another way is to restrict the "passwd" command or write a wrapper script around the "passwd" command to allow only certain user to execute it.

Re: User Password

harry d brown jr — Wed, 11 Sep 2002 13:47:53 GMT

You sure must have auditors that don't have a clue. I wonder if we could hire them?

Why not just remove the password and set it so that it never expires?

live free or die
harry

Re: User Password

MANOJ SRIVASTAVA — Wed, 11 Sep 2002 13:49:29 GMT

it depends on the enviornmet

changinf the permission is good , however if you want you can leave the onus on the user to change the same , incase there is a mess up you can alwasy logina as a superuser and modify it.That is how we handle in our env.

Manoj Srivastava

Re: User Password

Jeff Schussele — Wed, 11 Sep 2002 13:50:17 GMT

Hi Raghuram,

One thing you can do is turn off PW aging for that account:

sam -> users -> (highlight account) -> Actions -> Modify Security Policies -> Password Aging Policies -> set Paswword Aging = Disabled

HTH,
Jeff

Re: User Password

Tom Maloy — Wed, 11 Sep 2002 13:51:02 GMT

If only root can run passwd, that will limit the ability of other users to update their passwords.

Two other possible options:
1) get rid of the group login - bad from a security point of view, anyway.
2) control this with a process. Set the password to expire every 45 days or so. Then designate ONE person who will change the password on the first business day of each month, and who will notify the other folks of the change.

Personally, I'd get rid of the group login if possible.

Tom

Re: User Password

Helen French — Wed, 11 Sep 2002 13:52:00 GMT

Check the password aging policy on the system and for that specific UID. You can make it to 'password never expires' or disable the password aging and will no longer ask for a password change. This command will disable a password aging:

# passwd -n 0 -x 0 username

Here, it will ask for the new password on the next login and will never ask again. Another way is to manually edit the /etc/passwd file and delete the password aging characters from the 'passwd' entry. This will be seperated by a comma (,) after the encrypted passwd. You can use vipw for editing the file.