HPE Community
Operating System - HP-UX
1752786 Members
5667 Online
108789 Solutions
New Discussion юеВ

Allow Only Super-User To Change Password

 
SOLVED
Go to solution
RogerVI
Regular Advisor

тАО02-23-2009 01:14 PM

тАО02-23-2009 01:14 PM

Allow Only Super-User To Change Password

I want to set up the users that do not have the ability to change their own passwords. I do this via sam with the 'Allow only Super-User to change password'.
But when I change the password with the command "passwd user", it reverts back to the 'Normal Behaviour' option.

I'm on HP-UX 11.11. My system is not trusted

Thanks in advance
Roger
0 Kudos
9 REPLIES 9
OldSchool
Honored Contributor

тАО02-23-2009 01:23 PM

тАО02-23-2009 01:23 PM

Re: Allow Only Super-User To Change Password

see this post:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1314064

why would you want to do such a thing? not only does it cause a security breach, it makes more work for somebody.
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО02-23-2009 01:57 PM

тАО02-23-2009 01:57 PM

Solution

Re: Allow Only Super-User To Change Password

>when I change the password with the command "passwd user", it reverts back to the 'Normal Behaviour' option.

You can "fix" this by using vipw(1m) by adding ",./" to the end of the passwd field. I have no idea why there isn't an option in passwd(1) to do that.

0 Kudos
RogerVI
Regular Advisor

тАО02-23-2009 03:38 PM

тАО02-23-2009 03:38 PM

Re: Allow Only Super-User To Change Password

Dear Dennis:

Could you help me how to add those characters using a script ?

This is due to I must do the change for multiple users and periodically
Roger
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО02-24-2009 08:07 PM

тАО02-24-2009 08:07 PM

Re: Allow Only Super-User To Change Password

Unfortunately while sam will modify the password options, it doesn't remember superuser only when you change the password.

>Could you help me how to add those characters using a script?

This would be very dangerous if anything goes wrong. Do you want to add them to any entry in /etc/passwd, or to all but certain ones?
awk -F: '
BEGIN { OFS = ":" }
{
password = $2
if ($1 != "root" && $1 != "+" &&
password != "*" && index(password, ",") == 0) {
password = password ",./"
}
print $1, password, $3, $4, $5, $6, $7
} ' /etc/passwd > passwd.new
0 Kudos
RogerVI
Regular Advisor

тАО02-25-2009 07:47 AM

тАО02-25-2009 07:47 AM

Re: Allow Only Super-User To Change Password

The /etc/passwd file has 800 lines aprox.
I need to add the characters ",./" to the accounts based on a file. For example, if this file is called accounts.txt (aprox. 20 lines):

user1
user2
..
user20

Then I want to add the characters to accounts user1, user2,..user20.
Roger
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО02-25-2009 07:44 PM

тАО02-25-2009 07:44 PM

Re: Allow Only Super-User To Change Password

>I need to add the characters ",./" to the accounts based on a file

Assuming the name is user_file:
awk -F: -vusers=user_file '
BEGIN {
while (getline < users > 0)
name[$0] = 1 # save for checking
close(users)
OFS = ":"
}
{
password = $2
if ($1 != "root" && $1 != "+" &&
password != "*" && index(password, ",") == 0 && name[$1]) {
password = password ",./"
}
print $1, password, $3, $4, $5, $6, $7
} ' /etc/passwd > passwd.new
0 Kudos
Patrick Wallek
Honored Contributor

тАО02-25-2009 08:41 PM

тАО02-25-2009 08:41 PM

Re: Allow Only Super-User To Change Password

I'm with OldSchool here. I'm still thoroughly confused as to why you don't want your users to change their own passwords, especially with 800+ accounts.

Are you trying to justify your job?
0 Kudos
VK2COT
Honored Contributor

тАО02-25-2009 09:11 PM

тАО02-25-2009 09:11 PM

Re: Allow Only Super-User To Change Password

Hello,

A friend of mine worked for a major bank here in Australia last year. She told me that one
of the world-largest outsourcing companies
charged bank around 400 Australian dollars for every password reset :)

Nice and easy money. And "very hard earned".

Cheers,

VK2COT

VK2COT - Dusan Baljevic
0 Kudos
RogerVI
Regular Advisor

тАО02-25-2009 09:20 PM

тАО02-25-2009 09:20 PM

Re: Allow Only Super-User To Change Password

I have a proprietary security platform, in which the validation is that the password of Unix system should be equal to the password of the propietary security platform.
Actually, users (he or she) don't log on Unix. The connection is done by applications, not directly by users. These users have access to certains parts of the applications according your job nature and logged with a personal account.
For audit reasons, the Unix password must be changed periodically, and only the superuser should be able to do it
Dennis, Thank you very much for your help.
Roger
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.