HPE Community
Operating System - HP-UX
1753388 Members
7419 Online
108792 Solutions
New Discussion

password expiry date in hp unix.

 
krissh89
Occasional Advisor

‎03-02-2015 08:15 AM - last edited on ‎03-02-2015 06:18 PM by

‎03-02-2015 08:15 AM - last edited on ‎03-02-2015 06:18 PM by

password expiry date in hp unix.

Hi

 

OS version :HPUX 11i v3

system is trusted.

 

How can I find the password expiry date for a user in hp UX11i v3 under trusted system.

 

When I run

 

#passwd -sa

krish345 PS   ---- > I can't see password aging.

 

When I run

 

#getprpw -l krish345

uid=655, bootpw=NO, audid=289, audflg=1, mintm=-1, maxpwln=8, exptm=-1, lftm=-1, spwchg=Thu Feb 26 07:49:25 2015, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Mon Mar  2 14:19:13 2015, ulogint=-1, sloginy=-1, culogin=0, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000

 

All values are set to -1, What does -1 refer to.

 

-1 says that there is no password aging ?

 

When i run

 

#cat /etc/default/security | grep -v "#"

 

PASSWORD_MIN_DIGIT_CHARS=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=3

 

Nothing is defined at /etc/default/security.

 

How can I find password expiry from all the above 3 outputs.

 

Regards

 

krissh

 

 

 

P.S. This thread has been moevd from HP-UX > System Administration to HP-UX > security. - Hp Forum Moderator 

 

 

0 Kudos
Reply
8 REPLIES 8
Bill Hassell
Honored Contributor

‎03-02-2015 06:58 PM - edited ‎03-02-2015 07:02 PM

‎03-02-2015 06:58 PM - edited ‎03-02-2015 07:02 PM

Re: password expiry date in hp unix.

Yes, the -1 means the feature is not set.

The security file and other security settings in HP-UX have been very fragmented and poorly documented. I created a sample security file based on various docs and some testing. The settings in the security man page are not active if they are not actually set in the security file. Another very bizarre feature is that the "#" character cancels the entire line no matter where it appears. So the common technique to add comments at the end of a valid line will (silently) cancel the setting.

(this is one of two very unexpected behaviors in a settings file, namely /etc/syslog.conf where *ANY* space anywhere on the line cancels the line's directive, only tabs are allowed)

Here is an example security file. It can be used in any version of HP-UX from 11.00 and later, but settings that do not apply for theHP-UX version, patches and security level are ignored.

 

#####################################################################
#####################################################################
##                                                                 ##
##  Security file: /etc/default/security -- 11.00 and higher only  ##
##                                                                 ##
#####################################################################
#####################################################################

# Note: the contents of the security file settings are version
#       specific.  See the man page: man security

# Comments (#) allowed separate lines, but a trailing
#    or imbedded # will also disable the setting
#    (just like syslog.conf with spaces)

# Access controls (11.0 and higher)
###########################################################

# NOLOGIN=1 will enable the no logins allowed policy.
# NOTE: This attribute only applies to the applications
# that use session management services provided by
# pam_hpsec(5) as configured in /etc/pam.conf, or
# those services that indirectly invoke the
# login(1) command.
#
# This prevents *ANY* non-root user from logging in when the file
#   /etc/nologin
# exists.  This file can be anything (including null) but will
# be displayed before auto-logoff. Typically, a message about
# system maintenance is stored there:
#
# SYSTEM ABC IS DOWN FOR MAINTENENCE, BACK at 11am
#
# Remove the file for normal logins.

NOLOGIN=1

# Number of logins allowed for each user (0=unlimited)
NUMBER_OF_LOGINS_ALLOWED=0

ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Standard and Shadow modes only: Enable or
# disable the display of the last successful
# and unsuccessful login at the next login.
# (1=enable, 0=disable)

DISPLAY_LAST_LOGIN=1

# Standard and Shadow modes only: Expire non
# root local accounts that have had no logins
# for the specified number of days. If zero,
# inactive accounts are not expired.

INACTIVITY_MAXDAYS=0

# Standard and Shadow modes only: Allow
# logins only during specified time periods.
# LOGIN_TIMES=Any


# Single user mode authorization (11i and non-trusted only)
###########################################################
# Requires root password to get into single user mode (CAREFUL)
#     BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
#     BOOT_USERS=bill,jane,joe

# Password controls - Trusted Systems only
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

PASSWORD_MAXDAYS=120
PASSWORD_MINDAYS=7
PASSWORD_WARNDAYS=7

# Session controls
##################


# Default umask value upon login. Note: This
# attribute controls umask(2) of all sessions
# initiated via pam_unix(5) and/or pam_hpsec(5).
# Must have a leading zero to denote octal.

UMASK=0022

## su default values:
## SU_ROOT_GROUP=suroot
## SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
## SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD

 

 



Bill Hassell, sysadmin
0 Kudos
Reply
krissh89
Occasional Advisor

‎03-02-2015 09:42 PM

‎03-02-2015 09:42 PM

Re: password expiry date in hp unix.

Hi

 

From your comment I understand that if value is -1 then password aging is not set which means the password will never expire. 

 

Then why we are setting lftm, exptm, mintm, expwarn  to zero to make password never expire. 

 

Then what is the difference between -1 and 0.

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-03-2015 06:01 PM

‎03-03-2015 06:01 PM

Re: password expiry date in hp unix.

The man page for getprpw defined the numeric values:

 

Numeric values are specified as positive numbers, 0, or -1.  A  value of -1 indicates that the field has not been assigned a value in the database.

 

So -1 means that there is no value has been assigned and therefore default behavior is effective. 0 means the value is explicitly set to not take effect, and positive numbers indicate the numeric value for the setting such as days to warn for a password expiration.



Bill Hassell, sysadmin
0 Kudos
Reply
Per Christensen_1
Advisor

‎03-04-2015 12:48 AM

‎03-04-2015 12:48 AM

Re: password expiry date in hp unix.

You can use "secweb" command to see the default settings.

Can also be found in /tcb/files/auth/system/default but then you have to calculate yourself, as values are listed in seconds.

u_exp#2592000 = 30 days ( 2592000 / 86400 )

 

Cheers, 

Per

0 Kudos
Reply
KathyL1
Valued Contributor

‎04-01-2015 06:09 PM - edited ‎08-10-2015 08:57 PM

‎04-01-2015 06:09 PM - edited ‎08-10-2015 08:57 PM

Re: password expiry date in hp unix.

The following script will print the password expiry date for an individual user on a Trusted System:

 

#!/usr/bin/sh

 

# Has the system been converted to Trusted Mode?
TCB_DIR=/tcb/files/auth/
if [ ! -d $TCB_DIR ]
then
    echo "\n\nSystem has not been converted to Trusted Mode\n\n"
    exit
fi

USER=$1
TCB_FILE=$TCB_DIR/`echo $USER | cut -c1`/$USER

# Is there a password file for this user?
if [ ! -f $TCB_FILE ]
then
    echo "\n\nThe password file $TCB_FILE does not exist for $USER\n\n"
    exit
fi

DEFAULT_EXPIRY=`grep u_exp $TCB_DIR/system/default | awk -F'#' '{print $4}' | cut -d ':' -f1`
USER_CHANGED=`grep u_succhg $TCB_FILE | awk -F'#' '{print $2}' | cut -d ':' -f1`
USER_EXPIRY_TICKS=`expr $DEFAULT_EXPIRY + $USER_CHANGED`
echo "\nPassword for user \"$USER\" expires on: " `perl -MPOSIX -e "print strftime \"%d-%b-%y %H:%M:%S\n\",localtime($USER_EXPIRY_TICKS)"`

Reply
chindi
Respected Contributor

‎07-16-2015 04:26 AM

‎07-16-2015 04:26 AM

Re: password expiry date in hp unix.

Hi ,

 

When am using above script am not able to get valid dates , i mean its showing earlier dates .

0 Kudos
Reply
KathyL1
Valued Contributor

‎08-10-2015 08:58 PM - edited ‎08-10-2015 08:58 PM

‎08-10-2015 08:58 PM - edited ‎08-10-2015 08:58 PM

Re: password expiry date in hp unix.

Apologies -  I made a typo in my original post.

 

I've updated it with the correct information (and added some additional tests).

Reply
chindi
Respected Contributor

‎08-10-2015 11:36 PM

‎08-10-2015 11:36 PM

Re: password expiry date in hp unix.

Thanks a ton.

Its working now.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.