Security
cancel
Showing results for 
Search instead for 
Did you mean: 

modifying inactivity per user hp-ux 11.31

 
SOLVED
Go to solution
Sean M.
Advisor

modifying inactivity per user hp-ux 11.31

I appologize if this is posted somewhere on the forum, but I'm not finding exactly what I am looking for.

Currently we have our systems set to lockout accounts if the user hasn't logged in within 45-days via the tcb default file (system is trusted). :u_llogin#3888000

Now I have several accounts that need to be exempted from this as they are process or database accounts. Is there a way to modify the accounts to ignore this rule, or set them to expire for a high number (year+ or indefinite)?

I've tried modifying the accounts by using :
/usr/lbin/modprpw -m llog=6000 account_name
and it appears to be working. Obviously I can't test whether this is working without rolling the server clock forward (can't do). Is this the "correct" way to do this or is there a better way?

Thanks,


- Sean
5 REPLIES
Steven E. Protter
Exalted Contributor

Re: modifying inactivity per user hp-ux 11.31

Shalom,

The best way to do this is to test it in a lab system or a virtual system.

You can in that situation roll the clock forward without damage.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sean M.
Advisor

Re: modifying inactivity per user hp-ux 11.31

unfortunately our lab won't be set up for another 1-2 weeks, so I do not have an available server to test this on.
Main Group
Advisor

Re: modifying inactivity per user hp-ux 11.31

You could perhaps gain some confidence that the individual account override works by setting a test account to expire at a much shorter duration than the default.
Jim Walls
Trusted Contributor
Solution

Re: modifying inactivity per user hp-ux 11.31

Take a look at man getprpw.

The value for this type of setting can be:
=-1 meaning not defined, so use system default
=0 Not set - meaning not to be applied
=>0 Use this value for the setting.

First: Use SAM (or 11.31 equivalent - or modprdef) to set the system default for llog to your 45 days. use modprpw to set all general users llog=-1 and finally, set llog=0 for your special users.

Sean M.
Advisor

Re: modifying inactivity per user hp-ux 11.31

Sorry for very late responce and point giving, but I was on extended break. Solution from last post was tested and works properly.


Thanks.