HPE Community
Operating System - HP-UX
1752628 Members
5925 Online
108788 Solutions
New Discussion юеВ

which file holds passwd expiry default info for new user accounts?

 
SOLVED
Go to solution
Jim Wallace
Frequent Advisor

тАО09-26-2007 11:34 PM

тАО09-26-2007 11:34 PM

which file holds passwd expiry default info for new user accounts?

This is on an un-trusted HP-UX 11.0 system.

Security auditors want to see details of the file that sets the default password ageing when adding new users. I can create a template for SAM to use, which includes 52 weeks before expiry, for new users created - but - I cant then find a file on the system that reflects this.

Any ideas please gurus?
Thanks.
0 Kudos
9 REPLIES 9
Pete Randall
Outstanding Contributor

тАО09-26-2007 11:41 PM

тАО09-26-2007 11:41 PM

Solution

Re: which file holds passwd expiry default info for new user accounts?

Jim,

How about going into SAM and modifying the existing policy, then examining the SAM log to find the file that gets modified?


Pete

Pete
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-26-2007 11:46 PM

тАО09-26-2007 11:46 PM

Re: which file holds passwd expiry default info for new user accounts?

Thanks for the super-fast reply.
I couldn't see anything in the sam log to suggest which file it was - it only seems to record the fact that I've changed it.
Regards,
"Jim"
0 Kudos
AwadheshPandey
Honored Contributor

тАО09-26-2007 11:47 PM

тАО09-26-2007 11:47 PM

Re: which file holds passwd expiry default info for new user accounts?

man passwd
file is /etc/default/security
man security
u need to create/edit the file(see below)

The passwd -x option can be used to override this value
for a specific user.

PASSWORD_MAXDAYS=N A new password is valid for up to
N days, after which the password must be changed.

Default value: PASSWORD_MAXDAYS=-1 password aging is
turned off.

PASSWORD_MINDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default minimum number of days
before a password can be changed. This parameter
applies only to local users and does not apply to
trusted systems. The passwd -n option can be used to
override this value for a specific user.

PASSWORD_MINDAYS=N A new password cannot be changed
until at least N days since it was last changed.

Default value: PASSWORD_MINDAYS=0

PASSWORD_WARNDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default number of days before
password expiration that a user is to be warned that
the password must be changed. This parameter applies
only to local users on Shadow Password systems. The
passwd -w option can be used to override this value for
a specific user.

PASSWORD_WARNDAYS=N Users are warned N days before
their password expires.

Default value: PASSWORD_WARNDAYS=0 (no warning)
It's kind of fun to do the impossible
0 Kudos
Robert-Jan Goossens_1
Honored Contributor

тАО09-26-2007 11:51 PM

тАО09-26-2007 11:51 PM

Re: which file holds passwd expiry default info for new user accounts?

Hi Jim,

In the /etc/passwd file.

Have a look at this doc.

Title: How does password aging on non-trusted systems work?
Document ID: emr_na-c00904837-4
Last Modified Date: Fri Mar 23 06:00:00 CET 2007

http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00904837-4

Regards,
Robert-Jan
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-26-2007 11:56 PM

тАО09-26-2007 11:56 PM

Re: which file holds passwd expiry default info for new user accounts?

Once again - the fast responses are very much appreciated!

Part of the issue I think is that, having applied a profile to creating new users, and having created one, I can see in the /etc/passwd file that it now has the extra few characters to indicate password ageing is active - but - even though I have an /etc/default/security file, no entry has been added to it to indicate password expiry settings (if this makes sense to any of you).

I'll go and try removing the SAM template for password expiry, adding the suggested variable to the security file, then creating a test user again.
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-27-2007 12:13 AM

тАО09-27-2007 12:13 AM

Re: which file holds passwd expiry default info for new user accounts?

The entry in the security file is ignored (I suspect this is due to this NOT being in a trusted system state).

The sam log does record my creating a new profile (which includes passwd expiry setting), but (shame!) doesn't actually tell me where it hides this information.

Hey-ho!
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-27-2007 12:16 AM

тАО09-27-2007 12:16 AM

Re: which file holds passwd expiry default info for new user accounts?

This is what the sam log is showing;

Entering Task Manager with task UG_ADD_TEMPLATE.
@!@2@1190894716@0
Performing task "Add New User Template".
@!@1@1190894716@0
Saving user templates to disk.
@!@8@1190894716@0
Entering Task Manager with task UG_SAVE_TEMPLATES.
@!@2@1190894716@0
Performing task "Save User Templates".
@!@8@1190894716@0
Exiting Task Manager with task UG_SAVE_TEMPLATES.
@!@1@1190894716@0
Successfully saved user templates to disk.
@!@8@1190894716@0
Exiting Task Manager with task UG_ADD_TEMPLATE.
@!@1@1190894716@0
Successfully added new user template "paul".
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-27-2007 12:33 AM

тАО09-27-2007 12:33 AM

Re: which file holds passwd expiry default info for new user accounts?

Thanks again everyone ... I'm going to go assign you all points and close the thread down ... I've emailed my customer to advise that they should move to a trusted system state if they want better security and control over user accounts.
0 Kudos
Jim Wallace
Frequent Advisor

тАО09-27-2007 12:43 AM

тАО09-27-2007 12:43 AM

Re: which file holds passwd expiry default info for new user accounts?

Thanks all.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.