cancel
Showing results for 
Search instead for 
Did you mean: 

Account expiry

 
SOLVED
Go to solution
Delecole
Frequent Advisor

Account expiry

Hi there !

I need to set an account expiry (I do not talk about password here).

I enabled it in SAM, and set it to 60 days :

Go to SAM ->Auditing and security -> system Security Policies -> General User Account Policies, and Enable "Lock Inactive accounts" with 60 days.

But then even trying to launch the /usr/lbin/getprpw , I get something like this :

# ./getprpw genadmin

uid=100, bootpw=NO, audid=20, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Tue Sep 26 20:10:10 2006, upwchg=Tue Jun 20 02:20:22 2006, acctexp=-1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Sep 28 21:15:31 2006, ulogint=Tue Sep 26 22:02:58 2006, sloginy=pts/ta, culogin=-1, uloginy=pts/tb, umaxlntr=-1, alock=NO, lockout=0000000

See the "acctexp=-1" ?

So I can not verified it has been set to “60 days”.


Am I using the wrong command to set/view the account expiry ?

P.S. : I'm in a trusted hosts syetem, HP-UX 11.i

Many Thanks !!
13 REPLIES 13
Darren Prior
Honored Contributor

Re: Account expiry

Hi,

The -1 indicates that the system default value is being used rather than a value specific to that user. Default values are stored in /tcb/files/auth/system/default.

regards,

Darren.
Calm down. It's only ones and zeros...
Delecole
Frequent Advisor

Re: Account expiry

Thanks for the "-1" information.

Looking at the file you specify, I see the following :
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
:u_llogin#5184000:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#99:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:


I have put a default of 60 days in SAM foe general system policy, and 3 days only for the user "genadmin".

I do not see 60 nor 3 in the file you mention.
I'm interested to see the expiry days for a user account.

Many Thanks do far ... but the answer is not complete, yet ;-)
Highlighted
Darren Prior
Honored Contributor

Re: Account expiry

Ah, if it were only that easy ;-) The default file uses time in seconds, so 60 days (in seconds)=60*60*24*60=5184000.

The u_llogin value in the default file is set to 5184000. There's a bit more info on this parameter here -> http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1030113

If you manually set a user value, then it will override the system default. Take a look in the user file (which will be /tcb/files/auth/g/genadmin) for your 3 days.

regards,

Darren.
Calm down. It's only ones and zeros...
Delecole
Frequent Advisor

Re: Account expiry

Ok, I see effectively the correct values in seconds, for what I have set.


u_llogin - This value, in secconds, is the maximum time allowed between logins. If the time between the last login and the current time exceeds this value, the account is locked and the user can no longer logon.

I was expeting the correct parameter to be acctecp (For account expiry), but it seems you are correct with the u_llogin.

Many Thanks !!
Delecole
Frequent Advisor

Re: Account expiry

Maybe another question around this ...
the account expiry is working fine (i.e. accound disabled after the account expiry time is elapsed).

what If I want to "delete the account" if no request for reactivation has been done, foe example ?

So I put an account expiry of 60 days, then an accound deletion after 15 more days (total 75 days).

I found in SAM the "Account Life time" in days, but will that begin counting when the account is expired, or when the account in created ?

If the account life time begins counting when the account is expired (locked), then it is ok).

If the account life time begins counting from the creation date of the user, then I have a problem.

I wanr to follow the security rule as follow :
- Account locked after 60 days of inactivity
- then account deleted 15 days after the 60 inactivity days.

Someone can answer ?
Many Thanks !!
Mike Keighley
Frequent Advisor

Re: Account expiry

My understanding is that "account lifetime" is counted from when the account is created, so no, that would not be of use to you in this case.

(for more info please see the u_acct_expire entry in "man 4 prpwd"; it states explicitly that the account expiry time is not updated upon password change; I would infer that it is not updated upon de-activation either).

I simply keep a mental note to review disabled accounts after one month. We have a variety of tasks to undertake on ex-employees at that time (archiving their email; redistributing working files to their successor, etc.) Going back in to delete their accounts is a small part of the load.

Sorry I can't suggest an automatic way of achieving this.
nil illegitimi root-andum
Delecole
Frequent Advisor

Re: Account expiry

Thanks Mike !

Anybody else who has an idea is welcome ;-)
Bill Hassell
Honored Contributor

Re: Account expiry

There is no 'automatic' method to delete an account. Ifr there were, you would have a *lot* of problems with special accounts like lp that almost never get used but if deleted, cause major problems with printing. And of course, the user's account also includes a HOME directory. What is the 'correct' action for this directory and all the files? Would it be to trash everything and hope nothing important was lost? Or do you move the directory to an archive location? What about the user's files in /var/tmp and/tmp? And what if someone tried to login to this unused account? Would this be a security issue? Should records be kept of old logins, especially if the old login is for a terminated employee?

Too many questions, no single answer, therefore removing an inactive account is left to the sysadmin to handle according to company policies.


Bill Hassell, sysadmin
Delecole
Frequent Advisor

Re: Account expiry

Thanks Bill for pointing out those issues.
I just got a kind a security rules document to be followed for my system, and one of the rules is explaining this (See below) - reason why I wanted to deleted inactive user accounts :

------------------------
Redundant userids remaining enabled on the system. If an attacker could guess the password then they could access the system without being noticed.
Also, if deleted userids have not had their associated files or file permissions removed then they would be passed to a new user issued with that userid.