Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with the pre-expired flag

SOLVED
Go to solution
SZCZESNY
Occasional Contributor

Problem with the pre-expired flag

I have problem with some of my users (VMS 7.3.2). Their passwords never expire, they change regulary their password (set passwd), but under the authorize utility I always always see the status "pre-expired".

Example :
Expiration: (none)
Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none)
Pwdchange: 18-FEB-2005 09:53 (pre-expired)

I don't know how to delete the (pre-expired flag).

Has someone have the solution ? Thank's.
11 REPLIES
Bojan Nemec
Honored Contributor

Re: Problem with the pre-expired flag

You clear the flag with:

UAF> MODIFY user /NOPWDEXPIRED

When the user has this flag, it will be prompted for a new password at his first login, this will also clear the flag.

Bojan
SZCZESNY
Occasional Contributor

Re: Problem with the pre-expired flag

No, the flag is always here.

What we see under authorize is always :

Flags: DisPwdDic DisPwdHis
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: 18-FEB-2005 12:51 (pre-expired)
Last Login: 18-FEB-2005 12:55 (interactive), 18-FEB-2005 08:15 (non-interactive)
Bojan Nemec
Honored Contributor

Re: Problem with the pre-expired flag

Szczesny,

Checked once again.

If you have Pwdlifetime: (none) , then the expired/pre-expired mechanism does not work (See UAF help MODIFY /FLAGS -- DISFORCE_PWD_CHANGE). The flag is not cleared when the user log in.

But if you force with the command from the previous post, the flag is cleared.

Bojan
Mobeen_1
Esteemed Contributor

Re: Problem with the pre-expired flag

Szczesny,
As Bojan rightly pointed out if you have not set the password life time (PWDLIFETIME), the pre-expiry doesn't really work.

If you would want to test this, set pwdlifetime and try

regards
Mobeen
SZCZESNY
Occasional Contributor

Re: Problem with the pre-expired flag

Sorry, but nothing works : pwdlifetime, nopwdexp, set pass .... The accounts works fine but I still see the (pre expired flag).

I think this flag causes problem to connect with SSH.

Jan van den Ende
Honored Contributor

Re: Problem with the pre-expired flag

Szczesny,

combine various ideas given above:

-- set a password lifetime
-- use AUTHORIZE to modify the password
now, if the user logs in, (s)he must change Password, and THAT should do the trick.

Regrettably, that means you will have to go through this for all your users...


Hope this helps,

Proost.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Volker Halle
Honored Contributor

Re: Problem with the pre-expired flag

Hi,

maybe there was a 'secondary password' involved for this account ?

The '(pre-expired)' string printed AFTER the password change date may come from the
uaf$q_pwd2_date field in the user's UAF record.

Volker.
Volker Halle
Honored Contributor

Re: Problem with the pre-expired flag

Here is how to create a scenario like shown in this thread:

- create a user account with 2 passwords
- /PWDLIFE=none/PWDEXPIRED
- Login to the account
- change the first password

The UAF record will then show up as:

... Pwdchange: 18-FEB-2005 16:26 (pre-expired)

A pre-expired password date is shown as FFFFFFFF FFFFFFFF in a DUMP of the user's UAF record in SYSUAF.DAT. The secondary password date uaf$q_pwd2_date is at offset %x184

Volker.
Hein van den Heuvel
Honored Contributor
Solution

Re: Problem with the pre-expired flag

Right... so the real (SSH) problem may be that the account has two passwords!?

You can set this field with a call to SYS$SETUAI for item: UAI$_PWD2_DATE.
You could put binary zero there, or a copy of UAI$_PWD_DATE output perhaps.

TO clear it you can also whack the file (unsupported)

$ libr/extr=$uafdef/out=tt: sys$library:lib.mlb
:
$EQU UAF$S_PWD2_DATE 8
$EQU UAF$Q_PWD2_DATE 388
:

$ open/read/write/share=write sysuaf sysuaf
$ read/key=test sysuaf sysuaf
$ sysuaf[388*8,4*8]=0
$ sysuaf[392*8,4*8]=0
$ write/update/symbol sysuaf sysuaf
$ close sysuaf

fwiw,
Hein.
SZCZESNY
Occasional Contributor

Re: Problem with the pre-expired flag

OK, all is all right now. SSH works fine with my users !

Thank's a lot to everyone.

Here is my C programm :
Antoniov.
Honored Contributor

Re: Problem with the pre-expired flag

Hi Szczesny,
because you are newbie in this forum please read here
http://forums1.itrc.hp.com/service/forums/helptips.do?#33
the best way to thank who helped you giving points to them.
See you later.

Antonio Vigliotti


Antonio Maria Vigliotti