HPE Community
Operating System - HP-UX
1753544 Members
5991 Online
108795 Solutions
New Discussion юеВ

Re: re: logins & passwords

 
SOLVED
Go to solution
Gurcharan Sahota_2
Frequent Advisor

тАО10-25-2007 04:11 AM

тАО10-25-2007 04:11 AM

re: logins & passwords

Is it possible using modprpw/passwd to set a number of logins (10 in total) to the same password without having to go into SAM and set them manually? (I only ask - as i need to set them across 10 different servers)
0 Kudos
Reply
2 REPLIES 2
A. Clay Stephenson
Acclaimed Contributor

тАО10-25-2007 04:29 AM

тАО10-25-2007 04:29 AM

Solution

Re: re: logins & passwords

Who uses SAM for this? That is for wimp. The passwd command is the only command-line utility for this but it will not do what you want on its own. It would have to be coupled to the expect command (available from any of the HP-UX Porting and Archive Centre's) to do this task. Moreover to do this from a singler place, you would have to use remsh or ssh to invoke the commands remotely on each server --- or use rdist to push the /tcb/files/auth files from one master server to the others.

I have a custom program that calls uses the getprpwnam() and putprpwnam() functions to set this and can read the plaintext passwords
from stdin and set them --- but I will not share that utility. It's not difficult to do however.

Your real problem lies in the "as I need to set then across 10 different server". You need to implement a solution that will allow you to make the changes in one place and have them take effect everywhere. Can you say LDAP? (or NIS if security is not a huge concern)
If it ain't broke, I can fix that.
Reply
Bill Hassell
Honored Contributor

тАО10-25-2007 06:34 AM

тАО10-25-2007 06:34 AM

Re: re: logins & passwords

modprpw can't change the password, only some features and limits on the current password. The passwd program is purposely non-batch to discourage plain-text passwords on command lines. The expect code will help automate sending of passwd answers, but the easiest method is to use the undocumented usermod.sam command. The syntax is:

/usr/sam/lbin/usermod.sam -p $ENCRYPTEDPW $USERNAME

where $ENCRYPTED is the encrypted password (*NOT* the plain-text password) and $USER is the user ID. There is no simple method to create the encrypted passwd so I have attached a very simple program to take a (8 character maximum) password and return the encrypted version, suitable for usermod.sam -p.

Now a 'feature' of the usermod.sam program (which located in the undocumented section of /usr) is that the -p option will immediately expire the user's account so you'll need to reset the expiration. You can use modprpw (Trusted systems only) or just use passwd (all systems):

passwd -x $MAXPW -n $MINPW $USERNAME

Set MAXPW=days for the password to live before expiring, MINPW=days to elapse before another password change is allowed.

NOTE: the /usr/lbin directory cotains 'backend' programs, those which are supported and documented. This means that the programs may change at any time (and may disappear in a future release). So use with the precaution that moduser.sam may not be around in the near future.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.