Security

Re: Initial account password change problem

 
ConnieK
Regular Advisor

Initial account password change problem

I know this is a simple problem and probably has a simple answer - but right now I can't figure this out.

HPUX 11.0, N4000, Trusted. User account created - intial password established. User attempts to log in using that initial password. User gets notification that password needs to be reset and asks for old password. User types the old (initial) password and the screen that asks if the user wants to get one generated, pick one, etc., appears momentarily and then it kicks user out for no password. It does not give the user the chance to pick (p) a password, nor does it allow then to type a new one in.

Does anyone have any idea what's going on here and why the user cannot change his own password?
Independent by nature
9 REPLIES 9
Steven E. Protter
Exalted Contributor

Re: Initial account password change problem

Shalom,

First lets check authentication file integrity:

pwck
grpck

Then lets check syslog /var/adm/syslog/syslog.log for some clues as to the problem

There may be a conflict between your /etc/default/security setting and the kind of password the random password generator creates.

Note that almost nobody uses this feature because the passwords can't be remembered and end up on post it notes next to the users screens.

I would thing that a little poking around will get us an error message that might be helpful.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
ConnieK
Regular Advisor

Re: Initial account password change problem

Steven,

pwck is 0 - so it's okay. grpck has 4or 5 duplicate gids, but it should not affect the individual user attempting to log in the very first time. Syslog shows NO activity for the user - no initial connection. The /etc/default/security file just has MIN_PASSWORD_LENGTH=8 and PASSWORD_HISTORY_DEPTH-13, which also should not affect a user's initial login attempt. The password length is not the issue as the user was never able to even enter a new password.

More thoughts?

CK

Independent by nature
ConnieK
Regular Advisor

Re: Initial account password change problem

Oh - just another thing I just now discovered.... I ran "authck" and almost every account (not sure if all accounts) reported back stating "Userxxx cannot have a password set on the account".

This is a new system to me and I've never seen that statement come back from authck.
Independent by nature
Coolmar
Esteemed Contributor

Re: Initial account password change problem

ConnieK
Regular Advisor

Re: Initial account password change problem

Coolmar - I cannot open that thread. It can't help me if i can't read it.
Independent by nature
john korterman
Honored Contributor

Re: Initial account password change problem

Hi Connie,

please check doc id: USECKBRC00010324
in the tech base.

regards,
John K.
it would be nice if you always got a second chance
ConnieK
Regular Advisor

Re: Initial account password change problem

Coolmar - I was "eventually" able to open the document you referenced. Thanks, but it was not the solution I needed.

John - I read the document you referenced and it may be the solution for the issue with authck -p output.

I searched the TKB and found DocID A5509671 and I believe this is the solution to my original problem. The account was created with "useradd" and "passwd -f loginid" was performed. The -f activates password aging immediately and forces user to change the password upon next login.

Maybe I'm wrong, but i think this action would be okay to do on an existing account where the user had already logged in and established initial login parameters, but if this is an initial account where the user has never logged in, then do not use the "-f" flag. This is different from HPUX 11.11 or 11.23.

Also, the reference to the "-f" flag is in the man page for passwd (4).
Independent by nature
ConnieK
Regular Advisor

Re: Initial account password change problem

Okay all - I have discovered the solution to the initial problem. I found that the user was using ssh to login the first time. For some reason (probably the ssh configuration files need to be addressed) the user must use telnet to initially log in and change his password. The ssh protocol as it stands will not allow this action.

Thanks to all who attempted to resolve this!
Independent by nature
ConnieK
Regular Advisor

Re: Initial account password change problem

closed
Independent by nature