General
cancel
Showing results for 
Search instead for 
Did you mean: 

Allow Only Super-User To Change Password

SOLVED
Go to solution
Peternt
Regular Advisor

Allow Only Super-User To Change Password

I want to set up the users that do not have the ability to change their own passwords. I do this via sam with the 'Allow only Super-User to change password'.
But when I change the password with the command "passwd user", it reverts back to the 'Normal Behaviour' option.

I'm on HP-UX 11.11. My system is not trusted

Thanks in advance
Roger
9 REPLIES
OldSchool
Honored Contributor

Re: Allow Only Super-User To Change Password

see this post:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1314064

why would you want to do such a thing? not only does it cause a security breach, it makes more work for somebody.
Dennis Handly
Acclaimed Contributor
Solution

Re: Allow Only Super-User To Change Password

>when I change the password with the command "passwd user", it reverts back to the 'Normal Behaviour' option.

You can "fix" this by using vipw(1m) by adding ",./" to the end of the passwd field. I have no idea why there isn't an option in passwd(1) to do that.

Peternt
Regular Advisor

Re: Allow Only Super-User To Change Password

Dear Dennis:

Could you help me how to add those characters using a script ?

This is due to I must do the change for multiple users and periodically
Roger
Dennis Handly
Acclaimed Contributor

Re: Allow Only Super-User To Change Password

Unfortunately while sam will modify the password options, it doesn't remember superuser only when you change the password.

>Could you help me how to add those characters using a script?

This would be very dangerous if anything goes wrong. Do you want to add them to any entry in /etc/passwd, or to all but certain ones?
awk -F: '
BEGIN { OFS = ":" }
{
password = $2
if ($1 != "root" && $1 != "+" &&
password != "*" && index(password, ",") == 0) {
password = password ",./"
}
print $1, password, $3, $4, $5, $6, $7
} ' /etc/passwd > passwd.new
Peternt
Regular Advisor

Re: Allow Only Super-User To Change Password

The /etc/passwd file has 800 lines aprox.
I need to add the characters ",./" to the accounts based on a file. For example, if this file is called accounts.txt (aprox. 20 lines):

user1
user2
..
user20

Then I want to add the characters to accounts user1, user2,..user20.
Roger
Dennis Handly
Acclaimed Contributor

Re: Allow Only Super-User To Change Password

>I need to add the characters ",./" to the accounts based on a file

Assuming the name is user_file:
awk -F: -vusers=user_file '
BEGIN {
while (getline < users > 0)
name[$0] = 1 # save for checking
close(users)
OFS = ":"
}
{
password = $2
if ($1 != "root" && $1 != "+" &&
password != "*" && index(password, ",") == 0 && name[$1]) {
password = password ",./"
}
print $1, password, $3, $4, $5, $6, $7
} ' /etc/passwd > passwd.new
Patrick Wallek
Honored Contributor

Re: Allow Only Super-User To Change Password

I'm with OldSchool here. I'm still thoroughly confused as to why you don't want your users to change their own passwords, especially with 800+ accounts.

Are you trying to justify your job?
VK2COT
Honored Contributor

Re: Allow Only Super-User To Change Password

Hello,

A friend of mine worked for a major bank here in Australia last year. She told me that one
of the world-largest outsourcing companies
charged bank around 400 Australian dollars for every password reset :)

Nice and easy money. And "very hard earned".

Cheers,

VK2COT

VK2COT - Dusan Baljevic
Peternt
Regular Advisor

Re: Allow Only Super-User To Change Password

I have a proprietary security platform, in which the validation is that the password of Unix system should be equal to the password of the propietary security platform.
Actually, users (he or she) don't log on Unix. The connection is done by applications, not directly by users. These users have access to certains parts of the applications according your job nature and logged with a personal account.
For audit reasons, the Unix password must be changed periodically, and only the superuser should be able to do it
Dennis, Thank you very much for your help.
Roger