Password Expiry Period

 
Mark Parsons
Valued Contributor

Password Expiry Period

We are running trusted HPUX servers and we need to set password expiry for user accounts to 60 days and for application accounts to 365 days.

I would like to set one of these globally and then the other one manually per account. I guess as there are more user accounts than application accounts this might be easier to have the 60 days for them as default which is then overwritten by the 365 days for application accounts.

Can this be done and how? HP11-31 is the operating system.

Many thanks.

3 REPLIES 3
Bill Hassell
Honored Contributor

Re: Password Expiry Period

There are a number of non-user and non-app logins that are part of HP-UX. So changing every entry in /etc/passwd may create some problems later on. You'll need to setup a list of user IDs (users and apps) that need changing and then script the expiration values accordingly.  You don't want user IDs such as bin, sys, adm, lp, cimsvr, etc to expire.



Bill Hassell, sysadmin
Mark Parsons
Valued Contributor

Re: Password Expiry Period

Hi,

These variables are in /etc/default/security:
# PASSWORD_MAXDAYS=175
# PASSWORD_MINDAYS=14

If these are set is it possible to overide them on an individual user account basis?

mnavada
Occasional Advisor

Re: Password Expiry Period

Hi Mark,

Good Day. Here is my response.

We are running trusted HPUX servers and we need to set password expiry for user accounts
to 60 days and for application accounts to 365 days.

I would like to set one of these globally and then the other one manually per account.
I guess as there are more user accounts than application accounts this might be easier
to have the 60 days for them as default which is then overwritten by the 365 days for
application accounts.

Can this be done and how? HP11-31 is the operating system.


Ans: Your requirement is almost similar to https://community.hpe.com/t5/Security/How-to-set-Password-expiration-date-on-HP-UX/td-p/4283282#.XTrZwfIzbX4

##As per your statement, the node is in "trusted".

## So. modifying the following parameter is only applicable for non-trusted.

/etc/default/security:
# PASSWORD_MAXDAYS=175
# PASSWORD_MINDAYS=14

Refer "man" page of "modprpw" - https://nixdoc.net/man-pages/HP-UX/man1m/modprpw.1m.html

modprpw flag database equivalent
============== ====================
mintm=value u_minchg
exptm=value u_exp).
lftm=value u_life.
expwarn=value u_pw_expire_warning
umaxlntr=value u_maxtries


u_minchg This field specifies the minimum password change
time in seconds. If non-zero, the password cannot be
changed until the specified number of seconds since the
last successful password change have passed unless the
person changing the password is authorized to
override this constraint.

u_exp This field is a time_t value that specifies when the
account password will expire. When a password expires,
system authentication programs will request that the
password be changed when the user logs into the system.
If the password lifetime expires before the password is
changed, the account will be locked.

u_life This field is a time_t value that specifies the
lifetime of a password. If this time is reached, the
account will be locked and can only be unlocked by an
authorized system administrator.

u_pw_expire_warning
This value, in seconds, is the time at which a warning
will appear prior to the expiration of the users
password.

u_maxtries This field specifies the maximum number of consecutive
unsuccessful login attempts to the account that are
permitted until the account is locked.

## You can use the following command to show what system wide defaults are in place:
# /usr/lbin/getprdef -p

## Refer https://community.hpe.com/t5/Security/difference-between-getprpw-and-getprdef/td-p/6988282#.XTraxPIzbX4 to know
the difference between getprpw and getprdef.

 

Hope this helps.

Thanks & Regards,
Manjunath Navada

HPE

I am a HPE Employee