HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

Paranoid security, bypass resetting password expiry

 
Raynald Boucher
Super Advisor

Paranoid security, bypass resetting password expiry

Hello again,

"msec", I assume, is again giving me grief.
We are running Mandrake 9 with paranoid security (level 5).
The passwprd expiry period gets reset to default (30 days) even after I have extended it for selected users.

This is really annoying as some users may not log on for extended periods and therefore never get the warning and become unable to log on (me included).

Does anyone know how to overide this feature?

Thanks
4 REPLIES
Steven E. Protter
Exalted Contributor

Re: Paranoid security, bypass resetting password expiry

The real answer is to get rid of paranoid security and become active in setting security yourself. Its harder, but the process will improve your skills and allow you to avoid circumstances like this.

You might find using Bastille gives you better control.

With regards to this issue, it may take another password cycle for your change to kick in.

If the password life cycle is 30 days and you extend it, it probably requires a passwd command against that user.

The GUI interface that comes with Mandrake should do that for you.

In the end, there is a price for security, you have to balance that against your sanity.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Raynald Boucher
Super Advisor

Re: Paranoid security, bypass resetting password expiry

Thanks Steve

I'm told we are using this security scheme for this application due to the sensitivity of the information and to use a mixture of security setups so that if one is breached, the others will remain unknown...

Anyway, I found a reference to "no_password_aging_for(name)" in the msec directories. This tells me there is a bypass process and that it's probly driven by a control file.

I'm looking for which one, and the format of the control entry. The source is there but I don't know how to interpret Python code.

Take care.
Huc_1
Honored Contributor

Re: Paranoid security, bypass resetting password expiry

Hello

I dont use msec, I did a search from google and ended up in mandrake, there I found the following

I am passing it on perhaps, this could proof usefull !?

http://www.google.com/search?hl=en&lr=lang_en&ie=ISO-8859-1&oe=ISO-8859-1&q=no_password_aging_for&btnG=Google+Search&lr=lang_en

Jean-Pierre
Smile I will feel the difference
Huc_1
Honored Contributor

Re: Paranoid security, bypass resetting password expiry

Hi me , again ! ... I had a bite of time to read the links ....I mention here above !

In one of them I found

<<<<<<<<<<<<<<<<< cut from link" >>>>>>>>>>>>>>>

no_password_aging_for('toto') in level.local ineffective

* From: [bret]
* Subject: [Cooker] [Bug 1629] [msec] msec no_password_aging_for('toto') in level.local ineffective
* Date: Mon, 28 Jul 2003 07:06:33 -0700

http://qa.mandrakesoft.com/show_bug.cgi?id=1629





------- Additional Comments From [EMAIL PROTECTED] 2003-28-07 17:37 -------
One thing to keep in mind with password aging is if you disabled the password
aging after you set up the user, the shadow file will still have the setting
in it.

To disable the aging after you setup your level.local run this command:
"chage -M 99999 'username'".

That should fix your aging and it will not be re-enabled again by msec.

Now I have now idea if msec should do this if you add the entries above to
your level.local or not.


Bret.

<<<<<<<<<<<<<<<<<< end_of_cut >>>>>>>>>>>>>>>>

I had a look at this tool ... not bad, But I am more inclined to checking/reading lock and using standart iptables, bastille, find it is the best way for me to know what's going on , Having said' this I am lucky to be able to decide this myself.

Hope this will help you with this problem.

Jean-Pierre or J-P (shorter version).

Smile I will feel the difference