- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- New to UNIX
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 09:59 AM
тАО02-04-2010 09:59 AM
New to UNIX
I am Clueless when itcomes to UNIX, and I just inherited 4 HP-UX 11.11 N4000 servers. Our IA group has determined that passwords for ALL accounts. (Minus root, sys...etc) need to be changed every 60 days! The problem is that we use PKI authentication, so the users never even know their password.
My question: Is there a way to automate a randomized password reset for every account on the system every say....58 days? With the exception of the system accounts?
- Tags:
- password aging
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:19 AM
тАО02-04-2010 10:19 AM
Re: New to UNIX
You can have your account passwords expire by setting the 'PASSWORD_MAXDAYS' in '/etc/default/security'.
You can also set 'PASSWORD_WARNDAYS' to some lessor value to cause a warning of impending expiration upon login.
See the manpages for 'security(4)'.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:26 AM
тАО02-04-2010 10:26 AM
Re: New to UNIX
We use CAC Cards with a Public/Private key handshake. So passwords are irrelevant from the user perspective.
So, that being said, according to IA, I have to log on as root, and manually change all 400 account passwords on all 4 systems every 60 days..... That will be a pain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:36 AM
тАО02-04-2010 10:36 AM
Re: New to UNIX
I'm going to play really, really dumb here and ask what I believe to be the obvious question here:
If passwords are irrelevant and unused, why to the bean counters want to make rules about them?
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:41 AM
тАО02-04-2010 10:41 AM
Re: New to UNIX
I asked the same question.........
I of course got no answer.... and just told to change them anyway every 60 days.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:50 AM
тАО02-04-2010 10:50 AM
Re: New to UNIX
So what you really need (other than a lack of morals so you can lie to them and tell them they're changed every 60 days, just like they asked), is a script that would assign them a new, random password every 58 days?
That sounds relatively straight forward, but my scripting skills will take hours/days to come up with it. I'm sure others around here could provide something. (Still reading, Jim?)
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:14 AM
тАО02-04-2010 11:14 AM
Re: New to UNIX
Check out the following thread.
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=5192
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:26 AM
тАО02-04-2010 11:26 AM
Re: New to UNIX
If you are not going to be changing roots password, then the following "master script" should work:
# cat change_users_password
#!/usr/bin/sh
## Change a users passwd by the using /usr/local/bin/autopasswd
## expect script and the /usr/local/bin/mkpasswd shell script.
/usr/local/bin/autopasswd username $(/usr/local/bin/mkpasswd)
# cat /usr/local/bin/autopasswd
#!/usr/local/bin/expect ├в f
# wrapper to make passwd(1) be non├в interactive
# username is passed as 1st arg, passwd as 2nd
set password [lindex $argv 1]
spawn /usr/bin/passwd [lindex $argv 0]
expect "assword:"
send "$password\r"
expect "assword:"
send "$password\r"
expect eof
The mkpasswd script is attached.
Note that this requires that Expect and tcl/tk be installed on your server.
The change_users_password script above could easily be modified to loop through a list of users to change all their passwords.
You could also set this up in cron so that it runs every other month on a day of your choosing.
00 05 15 2,4,6,8,10,12 /some/dir/change_users_password
The above would run at 5:00 AM on the 15th of Feb, April, June, August, October and December.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:28 AM
тАО02-04-2010 11:28 AM
Re: New to UNIX
Yeah something of the sort would be great!! Again minus root, sys and other system accounts.
I know it is asking for a lot, but to have a script like that, that also sent me the "passwords" for all of the accounts would be great!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:35 AM
тАО02-04-2010 11:35 AM
Re: New to UNIX
# cat /usr/local/bin/autopasswd
#!/usr/local/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set password [lindex $argv 1]
spawn /usr/bin/passwd [lindex $argv 0]
expect "assword:"
send "$password\r"
expect "assword:"
send "$password\r"
expect eof