topic Re: Disable users changing their password in Operating System - HP-UX

Disable users changing their password

Mark Daintree — Mon, 21 May 2001 10:51:57 GMT

I want to set up a user that does not
have the ability to change their own
password. I have tried this via sam
with the 'Allow only Super-User to
change password'. This only expires it
and once changed reverts back to
the 'Normal Behaviour' option.
P.S. I'm on HP-UX 11.

Re: Disable users changing their password

Alexander M. Ermes — Mon, 21 May 2001 11:39:36 GMT

Hi there.
In the SAM / Users&groups / users / modify user
there is a dropdown menu 'modify password options' for password behaviour. There you will find the option
'Password change only by superuser'.
Rgds
Alexander M. Ermes

Re: Disable users changing their password

Stefan Farrelly — Mon, 21 May 2001 11:49:14 GMT

On a trusted system use the command;

modprpw -m mintim=

If you set it to say 52 weeks they wont be allowed to change their passwords for a year, then you can simply reset it to another year...

Re: Disable users changing their password

Mark Daintree — Mon, 21 May 2001 11:49:29 GMT

Thanks but as I originally stated this has the effect of 'password expired' when the user next connects.

Is there a way to control the passwd file?

Re: Disable users changing their password

Brian Hackley — Mon, 21 May 2001 11:52:57 GMT

Alister,
One thing I tought of would be for your
to create a wrapper script around the passwd binary (/bin/passwd, /usr/bin/passwd), which would check against the user (e.g. $LOGNAME). If the user matches, set exit status appropriatly. If the user is not a match (e.g permitted), then call /usr/bin/passwd.real to change the user password. I have not tried this but this is just a thought that sprang to mind. Example hack lies below.
Regards,
-> Brian Hackley

#!/sbin/sh
# set -x
# Remember permissions and owner for this wrapper must match the original file.
# Copyright 2001 Hewlett-Packard Co.

if [ $LOGNAME = "charlie ]
then
exit -1
else
/usr/bin/passwd.real $*
exit $?
fi
# End of wrapper

Re: Disable users changing their password

Mark Daintree — Mon, 21 May 2001 12:59:41 GMT

I'm not on a trusted system. I did try
passwd -n 441 username
but when I tried to reconnect as the use the password was expired.

Re: Disable users changing their password

Stefan Farrelly — Mon, 21 May 2001 14:36:42 GMT

The sort of functionality you want you really need to be running a trusted system. If not, then you will need a wrapper script as Brian suggested earlier.

Re: Disable users changing their password

KapilRaj — Tue, 22 May 2001 10:39:25 GMT

hi ,

i hv a solution for u. Keep in mind that this solution prevents all the users except superusers from changing their / other's password.

#cp /usr/bin/passwd /usr/bin/passwd.backup

( Backing up old passwd command for safety)

#chmod u-s /usr/bin/passwd

(Removes SUID so that only super user can modify /etc/passwd so their passwords)

Hope this helps you.......

Kaps

Re: Disable users changing their password

Bruce Regittko_1 — Tue, 22 May 2001 18:50:10 GMT

Hi,

I believe that if you set password aging on the account so that the minimum time is greater than the maximum time, then the user will not be able to change their password:

passwd -x 0 -n 7 forgetful

should do the trick for user "forgetful". See the passwd(1) man page for more information.

--Bruce

--Bruce

Re: Disable users changing their password

Mark Daintree — Wed, 23 May 2001 06:30:33 GMT

I tried the passwd -x 0 -n 1 option which had the effect of expiring the password for the user again.

Within sam I set these values to 62 and 63 respectively which means the password will expire after 62 weeks but cannot be changed.
Using sam did not have the effect to expire my password. Very odd.

This looks to be the best workaround. It means every 62 weeks I must remember to change the password.

Thanks for the contribution guys.