HPE Community
Operating System - HP-UX
1752749 Members
4813 Online
108789 Solutions
New Discussion юеВ

New to UNIX

 
Jarheadatheart
Regular Advisor

тАО02-04-2010 09:59 AM

тАО02-04-2010 09:59 AM

New to UNIX

Guru's,
I am Clueless when itcomes to UNIX, and I just inherited 4 HP-UX 11.11 N4000 servers. Our IA group has determined that passwords for ALL accounts. (Minus root, sys...etc) need to be changed every 60 days! The problem is that we use PKI authentication, so the users never even know their password.
My question: Is there a way to automate a randomized password reset for every account on the system every say....58 days? With the exception of the system accounts?
0 Kudos
Reply
11 REPLIES 11
James R. Ferguson
Acclaimed Contributor

тАО02-04-2010 10:19 AM

тАО02-04-2010 10:19 AM

Re: New to UNIX

Hi:

You can have your account passwords expire by setting the 'PASSWORD_MAXDAYS' in '/etc/default/security'.

You can also set 'PASSWORD_WARNDAYS' to some lessor value to cause a warning of impending expiration upon login.

See the manpages for 'security(4)'.

Regards!

...JRF...
0 Kudos
Reply
Jarheadatheart
Regular Advisor

тАО02-04-2010 10:26 AM

тАО02-04-2010 10:26 AM

Re: New to UNIX

Well james, I know how to set the minimums and whatnot,that is the thing, even if I set it to expire, the users do not have access to change their passwords, as they do not logon via username and password. They don't even know their passwords.... Password authentication is completely turned off. (I can show you that cool little script if you would like.)

We use CAC Cards with a Public/Private key handshake. So passwords are irrelevant from the user perspective.

So, that being said, according to IA, I have to log on as root, and manually change all 400 account passwords on all 4 systems every 60 days..... That will be a pain.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО02-04-2010 10:36 AM

тАО02-04-2010 10:36 AM

Re: New to UNIX

Semper Fi, Jarhead.

I'm going to play really, really dumb here and ask what I believe to be the obvious question here:

If passwords are irrelevant and unused, why to the bean counters want to make rules about them?


Pete

Pete
0 Kudos
Reply
Jarheadatheart
Regular Advisor

тАО02-04-2010 10:41 AM

тАО02-04-2010 10:41 AM

Re: New to UNIX

Semper Fi Pete!

I asked the same question.........

I of course got no answer.... and just told to change them anyway every 60 days.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО02-04-2010 10:50 AM

тАО02-04-2010 10:50 AM

Re: New to UNIX

I kind of figured that, but had to ask.

So what you really need (other than a lack of morals so you can lie to them and tell them they're changed every 60 days, just like they asked), is a script that would assign them a new, random password every 58 days?

That sounds relatively straight forward, but my scripting skills will take hours/days to come up with it. I'm sure others around here could provide something. (Still reading, Jim?)


Pete

Pete
0 Kudos
Reply
Fabian Brise├▒o
Esteemed Contributor

тАО02-04-2010 11:14 AM

тАО02-04-2010 11:14 AM

Re: New to UNIX

Hello.
Check out the following thread.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=5192


Hope it helps.
Knowledge is power.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО02-04-2010 11:26 AM

тАО02-04-2010 11:26 AM

Re: New to UNIX

I've got some scripts that run that change the password for a couple of different users at regular intervals.

If you are not going to be changing roots password, then the following "master script" should work:

# cat change_users_password
#!/usr/bin/sh

## Change a users passwd by the using /usr/local/bin/autopasswd
## expect script and the /usr/local/bin/mkpasswd shell script.

/usr/local/bin/autopasswd username $(/usr/local/bin/mkpasswd)



# cat /usr/local/bin/autopasswd
#!/usr/local/bin/expect ├в f
# wrapper to make passwd(1) be non├в interactive
# username is passed as 1st arg, passwd as 2nd

set password [lindex $argv 1]
spawn /usr/bin/passwd [lindex $argv 0]
expect "assword:"
send "$password\r"
expect "assword:"
send "$password\r"
expect eof

The mkpasswd script is attached.

Note that this requires that Expect and tcl/tk be installed on your server.

The change_users_password script above could easily be modified to loop through a list of users to change all their passwords.

You could also set this up in cron so that it runs every other month on a day of your choosing.

00 05 15 2,4,6,8,10,12 /some/dir/change_users_password

The above would run at 5:00 AM on the 15th of Feb, April, June, August, October and December.
0 Kudos
Reply
Jarheadatheart
Regular Advisor

тАО02-04-2010 11:28 AM

тАО02-04-2010 11:28 AM

Re: New to UNIX

Pete, I take it at some point you were with the Military and know how incredibly bright the Department of Defense is!!! hahaha. The Marine Corps is notorious for stuff like this!

Yeah something of the sort would be great!! Again minus root, sys and other system accounts.

I know it is asking for a lot, but to have a script like that, that also sent me the "passwords" for all of the accounts would be great!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО02-04-2010 11:35 AM

тАО02-04-2010 11:35 AM

Re: New to UNIX

The autopasswd script did paste properly the first time.

# cat /usr/local/bin/autopasswd
#!/usr/local/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd

set password [lindex $argv 1]
spawn /usr/bin/passwd [lindex $argv 0]
expect "assword:"
send "$password\r"
expect "assword:"
send "$password\r"
expect eof
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.