HPE Community
Operating System - HP-UX
1753510 Members
5142 Online
108795 Solutions
New Discussion юеВ

Re: Going trusted - what accounts will expire?

 
SOLVED
Go to solution
John Jeffrey
Occasional Advisor

тАО07-13-2006 05:23 AM

тАО07-13-2006 05:23 AM

Going trusted - what accounts will expire?

I need to go trusted on my 11.00 systems.

I have an 11.00 test system, but it only has a few accounts on it. Going trusted does not expire all accounts... but it does some. How can I determine which accounts will expire and which will not? My production system has over 1,500 accounts.

I searched and found several threads similar to this, but none could define /exactly/ which accounts will be forced to change their passwords, and which will not. What's the algorithm?

Just some more data - currently, I enter trusted mode via SAM. It does not prompt me to expire all passwords as part of this process, it just says "Ok" when its done. When the process is complete, Password Aging remains disabled. On the SAM -> Password Aging Policies screen I have the option enabling agins=g as well as Expiring All passwords. I will definitely be enabling password aging. I think I'd like to skip expiring all passwords, if I can.

Thanks in advance.
0 Kudos
Reply
7 REPLIES 7
Pete Randall
Outstanding Contributor

тАО07-13-2006 05:26 AM

тАО07-13-2006 05:26 AM

Re: Going trusted - what accounts will expire?

Use SAM to do the conversion and none of the accounts will be expired.


Pete

Pete
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-13-2006 05:27 AM

тАО07-13-2006 05:27 AM

Re: Going trusted - what accounts will expire?

Shalom,

There is a report on passwords passwd -sa that can give you an idea of the status of passwords.

The default is 90 days. Any account that has not had a password change during that period risks being expired.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО07-13-2006 05:27 AM

тАО07-13-2006 05:27 AM

Re: Going trusted - what accounts will expire?

Wait a minute - I was reading the last part of your question while I was typing.

It is my understanding that using SAM to do the conversion is not supposed to expire all passwords. Are you saying that you have experience to the contrary?


Pete

Pete
0 Kudos
Reply
John Jeffrey
Occasional Advisor

тАО07-13-2006 05:34 AM

тАО07-13-2006 05:34 AM

Re: Going trusted - what accounts will expire?

As I said, this test system has few accounts on it. Before going trusted, I created 3 test accounts.

test1 was forced to change their password on next login.

test2 was set to expire in 1 day/week (passwd -x 1 test2)

test3 was locked.

After the trusted conversion via SAM, none of the test accounts were expired (well, test3 couldn't login, obviously). However, my personal system account was.

Now - I don't recall if I had set password expiry on my account. However, after the trusted conversion, system-wide password expiry was disabled, anyway. I don't understand why my personal account expired.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО07-13-2006 12:21 PM

тАО07-13-2006 12:21 PM

Re: Going trusted - what accounts will expire?

This may be a patch issue for the security components. Run the security_patch_check program and add the missing patches. However, you can bypass SAM and just issue the two commands:

tsconvert -c
/usr/lbin/modprpw -V

This will convert the system and then refresh the expiration date for every login.


Bill Hassell, sysadmin
Reply
doug hosking
Esteemed Contributor

тАО07-14-2006 04:53 AM

тАО07-14-2006 04:53 AM

Solution

Re: Going trusted - what accounts will expire?

Bill's 'modprpw' reply is likely to be the most helpful in your case, given that you don't want anything to expire.

Regarding why the conversion can expire passwords, the reason is that the password complexity rules can differ between standard mode and trusted mode. Since it is not possible to decrypt UNIX passwords in any practical way, the only way to be sure that the new complexity rules are followed soon after the conversion is to force everyone to change their passwords, at which time the new passwords can be tested for compliance with the newly configured complexity rules.
Reply
John Jeffrey
Occasional Advisor

тАО07-14-2006 06:59 AM

тАО07-14-2006 06:59 AM

Re: Going trusted - what accounts will expire?

Thanks for the input!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.