HPE Community
Operating System - OpenVMS
1752307 Members
5292 Online
108786 Solutions
New Discussion юеВ

Problem with the pre-expired flag

 
SOLVED
Go to solution
SZCZESNY
Occasional Contributor

тАО02-17-2005 10:39 PM

тАО02-17-2005 10:39 PM

Problem with the pre-expired flag

I have problem with some of my users (VMS 7.3.2). Their passwords never expire, they change regulary their password (set passwd), but under the authorize utility I always always see the status "pre-expired".

Example :
Expiration: (none)
Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none)
Pwdchange: 18-FEB-2005 09:53 (pre-expired)

I don't know how to delete the (pre-expired flag).

Has someone have the solution ? Thank's.
0 Kudos
Reply
11 REPLIES 11
Bojan Nemec
Honored Contributor

тАО02-17-2005 10:48 PM

тАО02-17-2005 10:48 PM

Re: Problem with the pre-expired flag

You clear the flag with:

UAF> MODIFY user /NOPWDEXPIRED

When the user has this flag, it will be prompted for a new password at his first login, this will also clear the flag.

Bojan
0 Kudos
Reply
SZCZESNY
Occasional Contributor

тАО02-17-2005 10:56 PM

тАО02-17-2005 10:56 PM

Re: Problem with the pre-expired flag

No, the flag is always here.

What we see under authorize is always :

Flags: DisPwdDic DisPwdHis
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: 18-FEB-2005 12:51 (pre-expired)
Last Login: 18-FEB-2005 12:55 (interactive), 18-FEB-2005 08:15 (non-interactive)
0 Kudos
Reply
Bojan Nemec
Honored Contributor

тАО02-17-2005 11:13 PM

тАО02-17-2005 11:13 PM

Re: Problem with the pre-expired flag

Szczesny,

Checked once again.

If you have Pwdlifetime: (none) , then the expired/pre-expired mechanism does not work (See UAF help MODIFY /FLAGS -- DISFORCE_PWD_CHANGE). The flag is not cleared when the user log in.

But if you force with the command from the previous post, the flag is cleared.

Bojan
0 Kudos
Reply
Mobeen_1
Esteemed Contributor

тАО02-17-2005 11:26 PM

тАО02-17-2005 11:26 PM

Re: Problem with the pre-expired flag

Szczesny,
As Bojan rightly pointed out if you have not set the password life time (PWDLIFETIME), the pre-expiry doesn't really work.

If you would want to test this, set pwdlifetime and try

regards
Mobeen
0 Kudos
Reply
SZCZESNY
Occasional Contributor

тАО02-18-2005 01:30 AM

тАО02-18-2005 01:30 AM

Re: Problem with the pre-expired flag

Sorry, but nothing works : pwdlifetime, nopwdexp, set pass .... The accounts works fine but I still see the (pre expired flag).

I think this flag causes problem to connect with SSH.

0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО02-18-2005 01:50 AM

тАО02-18-2005 01:50 AM

Re: Problem with the pre-expired flag

Szczesny,

combine various ideas given above:

-- set a password lifetime
-- use AUTHORIZE to modify the password
now, if the user logs in, (s)he must change Password, and THAT should do the trick.

Regrettably, that means you will have to go through this for all your users...


Hope this helps,

Proost.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Volker Halle
Honored Contributor

тАО02-18-2005 02:17 AM

тАО02-18-2005 02:17 AM

Re: Problem with the pre-expired flag

Hi,

maybe there was a 'secondary password' involved for this account ?

The '(pre-expired)' string printed AFTER the password change date may come from the
uaf$q_pwd2_date field in the user's UAF record.

Volker.
0 Kudos
Reply
Volker Halle
Honored Contributor

тАО02-18-2005 02:34 AM

тАО02-18-2005 02:34 AM

Re: Problem with the pre-expired flag

Here is how to create a scenario like shown in this thread:

- create a user account with 2 passwords
- /PWDLIFE=none/PWDEXPIRED
- Login to the account
- change the first password

The UAF record will then show up as:

... Pwdchange: 18-FEB-2005 16:26 (pre-expired)

A pre-expired password date is shown as FFFFFFFF FFFFFFFF in a DUMP of the user's UAF record in SYSUAF.DAT. The secondary password date uaf$q_pwd2_date is at offset %x184

Volker.
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО02-18-2005 07:23 AM

тАО02-18-2005 07:23 AM

Solution

Re: Problem with the pre-expired flag

Right... so the real (SSH) problem may be that the account has two passwords!?

You can set this field with a call to SYS$SETUAI for item: UAI$_PWD2_DATE.
You could put binary zero there, or a copy of UAI$_PWD_DATE output perhaps.

TO clear it you can also whack the file (unsupported)

$ libr/extr=$uafdef/out=tt: sys$library:lib.mlb
:
$EQU UAF$S_PWD2_DATE 8
$EQU UAF$Q_PWD2_DATE 388
:

$ open/read/write/share=write sysuaf sysuaf
$ read/key=test sysuaf sysuaf
$ sysuaf[388*8,4*8]=0
$ sysuaf[392*8,4*8]=0
$ write/update/symbol sysuaf sysuaf
$ close sysuaf

fwiw,
Hein.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.