System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable password expiration on single account for trusted system.

SOLVED
Go to solution
Narendra Uttekar
Regular Advisor

How to disable password expiration on single account for trusted system.

Dear All,
Is it possible to disable password expiration on single account for trusted system.
7 REPLIES
Jeeshan
Honored Contributor

Re: How to disable password expiration on single account for trusted system.

Hi Narendra

Yes, you do it by SAM.

go to SAM
-> Accounts for Users and Groups
->
a warrior never quits
Steven E. Protter
Exalted Contributor

Re: How to disable password expiration on single account for trusted system.

Shalom,

As noted SAM is the quick way to do this.

Note that you could have scripts around that are impacting this user. Go through the user properties carefully and make sure aging is disabled.

I had an account like this that kept expiring at my last job. It was my department heads account and he did not find it the least bit amuzing the third time he expired after not using the account.

Check the acccount a week or two after changing it to make sure aging has not been turned back on.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
F Verschuren
Esteemed Contributor
Solution

Re: How to disable password expiration on single account for trusted system.

on the comand line:
/usr/lbin/modprpw -l -m mintm=0,exptm=0,expwarn=0,lftm=0 [username]
ofcause you can pick one ore more options:

I will post the manpage because it is not on all systems:

modprpw(1M) modprpw(1M)

NAME
modprpw - modify protected password database

SYNOPSIS
modprpw [-E|-V] [-l|-n [domain]]

modprpw [-x] [-l|-n [domain]] username

modprpw [-A|-e|-v|-k] [-m field=value,... ] [-l|-n [domain]] username

DESCRIPTION
modprpw updates the user's protected password database settings. This
command is available only to the superuser in a trusted system.

Usage other than via SAM, and/or modifications out of sync with
/etc/passwd or NIS+ tables, may result in serious database corruption
and the inability to access the system.

All updated values may be verified using getprpw(1M).

The database contains information for both local and NIS+ users.
However, some NIS+ information is kept on the master. Since a user
may be both local and NIS+, modprpw uses the nsswitch.conf(4) default
if neither -l nor -n are specified.

Options
modprpw sets user's parameters as defined by the options specified.
At least one option is required. If a field is not specified in the
option then its value remains unchanged in the database.

modprpw recognizes the following options...

-A To add a new user entry and to return a random password which the
new user must use to login the first time. This entry has to be
created with the given username and the -m uid=value.

Error is returned if the user already exists.

May be combined with one of the -l or -n options. It also adds
entries to the NIS+ tables, if -n is specified.

Unlike useradd(1M), it does not create nor populate the home
directory, and it does not update /etc/passwd.

-E This option is specified WITHOUT a user name to expire all user's
passwords. It goes through the protected password database and
zeroes the successful change time of all users. The result is
all users will need to enter a new password at their next login.

May be combined with one of -l or -n options.

Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

-e This option is specified with a user name to expire the specified
user's password. It zeroes the successful change time.

May be combined with options -l, -m, -n.

-k To unlock/enable a user's account that has become disabled,
except when the lock is due to a missing password or * password.

May be combined with options -l, -m, -n.

-l This option specifies to modify data for a local user. It cannot
be specified with the -n option. This option must be specified
with other options.

-m Modify the database field to the specified value and/or resets
locks. Valid with one of -A, -e, -v, -k options; and one of -l,
-n options.

A list of database fields may be used with comma as a delimiter.
An "invalid-opt" is printed, and processing terminates, if a list
of database fields passed to -m contains an invalid database
field.

Boolean values are specified as YES, NO, or DFT for system
default values (/tcb/files/auth/system/default). Numeric values
are specified as positive numbers, 0, or -1. If the value -1 is
specified, the numeric value in the database is removed, allowing
the system default value to be used. Time values are specified
in days, although the database keeps them in seconds.

No aging is present if the following 4 database parameters are
all zero: u_minchg, u_exp, u_life, u_pw_expire_warning.

Unless specified by n/a, all database fields can be set. They
are listed below in the order shown in prot.h. The database
fields are fully explained in prpwd(4).

FIELD=VALUE DATABASE FIELD

n/a database u_name.

uid=value database u_id.

Set the uid of the user. No sanity checking
is done on this value.

n/a database u_pwd.

n/a database u_owner.

Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

bootpw=value database u_bootauth.

Set boot authorization privilege, YES/NO/DFT.
NO removes it from the user file.

audid=value database u_auditid.

Set audit id. Automatically limited not to
exceed the next available id.

audflg=value database u_auditflag.

Set audit flag.

mintm=value database u_minchg=(value*86400).

Set the minimum time interval between
password changes (days). 0 = none. Same as
non-trusted mode minimum time.

maxpwln=value database u_maxlen.

Set the maximum password length for system
generated passwords.

exptm=value database u_exp=(value*86400).

Set password expiration time interval (days).
0 = expired. Same as non-trusted mode
maximum time.

lftm=value database u_life.

Set password life time interval (days). 0 =
infinite.

n/a database u_succhg.

Modified by options e, E, v, V, maybe k.

n/a database u_unsucchg.

acctexp=value database u_acct_expire=(value*86400+now).

Set account expiration time interval (days).
This interval is added to "now" to form the
value in the database (database 0 = no
expiration).

llog=value database u_llogin.

Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

Set the last login time interval (days).
Used with u_succlog.

expwarn=value database u_pw_expire_warning=(value*86400).

Set password expiration warning time interval
(days). 0 = none.

n/a database u_pswduser. Obsoleted field.

usrpick=value database u_pickpw.

Set whether User Picks Password, YES/NO/DFT.

syspnpw=value database u_genpwd.

Set whether system generates pronounceable
passwords, YES/NO/DFT.

rstrpw=value database u_restrict.

Set if generated password is restricted,
YES/NO/DFT. If YES, password will be checked
for triviality.

nullpw=value database u_nullpw.

Set whether null passwords are allowed,
YES/NO/DFT. YES is not recommended!

n/a database u_pwchanger. Obsolescent field.

admnum=value database u_pw_admin_num. Obsoleted field.

syschpw=value database u_genchars.

Set whether system generates passwords having
characters only, YES/NO/DFT.

sysltpw=value database u_genletters.

Set whether system generates passwords having
letters only, YES/NO/DFT.

timeod=value database u_tod.

Set the time-of-day allowed for login.

The format is:

Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

key0Starttime-Endtime,
key1Starttime-Endtime,...
keynStarttime-Endtime

Where key has the following values:
Mo - Monday
Tu - Tuesday
We - Wednesday
Th - Thursday
Fr - Friday
Sa - Saturday
Su - Sunday
Any - everyday
Wk - Monday -> Friday

and Starttime and Endtime are in military
format: HHMM, where:
00 <= HH <= 23, and 00 <= MM <= 59.

n/a database u_suclog.

n/a database u_unsuclog.

n/a database u_suctty.

n/a database u_numunsuclog.

n/a database u_unsuctty.

umaxlntr=value database u_maxtries.

Set Maximum Unsuccessful Login tries allowed.
0 = infinite.

alock=value database u_lock.

Set the administrator lock, YES/NO/DFT.

-n Can be specified with or without domain name; i.e., -n [domain].
If -n [domain] is specified, modifies data for the NIS+ user.
The domain name must be fully qualified, with a terminating
period. If domain name is not specified, the local domain will
be used.

It cannot be specified with the -l option. This option must be
specified with other options.

-V This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords. It goes through the
protected password database and sets the successful change time
to the current time for all users. The result is that all user's

Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

password aging restarts at the current time.

May be combined with one of -l or -n options.

-v This option is specified with a user name to "validate/refresh"
the specified user's password. It sets the successful change
time to the current time.

May be combined with options -l, -m, -n.

-x Delete the user's password and return a random password that the
user must later supply to the login process to login and pick a
new password. Not valid for root. Also resets locks.

May be combined with one of -l or -n options.

RETURN VALUE
0 Success.
1 User not privileged.
2 Incorrect usage.
3 Can not find the entry or file.
4 Can not change the entry.
5 Not a Trusted System.
6 Not a NIS+ user.

EXAMPLES
Set the Minimum time between password changes to 12 (days), set the
System generates pronounceable password flag to NO, and set the System
generates password having characters only flag to YES.

modprpw -m mintm=12,syspnpw=NO,syschpw=YES someusr

The following example is to restrict the times that user joeblow can
get on the system on Mondays and Fridays to 5PM-9PM, and Sundays from
5AM-9AM. Other days are not restricted.

modprpw -m timeod=Mo1700-2100,Fr1700-2100,Su0500-0900 joeblow

WARNINGS
This command is intended for SAM use only. It may change with each
release and can not be guaranteed to be backward compatible.

Several database fields interact with others. Side effects may not be
apparent until much later.

Special meanings may apply in the following cases:

+ an absent field,
+ a field without a value,
+ a field with a zero value.

Hewlett-Packard Company - 6 - HP-UX 11i Version 2: August 2003

modprpw(1M) modprpw(1M)

Very little, if any checking is done to see if values are valid. It
is the user's responsibility to range check values.

FILES
/etc/passwd System Password file
/tcb/files/auth/*/* Protected Password Database
/tcb/files/auth/system/default System Defaults Database

AUTHOR
modprpw was developed by HP.

SEE ALSO
getprpw(1M), prpwd(4), nsswitch.conf(4).

Hewlett-Packard Company - 7 - HP-UX 11i Version 2: August 2003
Dennis Handly
Acclaimed Contributor

Re: How to disable password expiration on single account for trusted system.

>F Verschuren: I will post the manpage because it is not on all systems: modprpw(1M)

No need to do this, unless you are annotating it. Just provide a link:
http://docs.hp.com/en/B2355-60130/modprpw.1M.html
F Verschuren
Esteemed Contributor

Re: How to disable password expiration on single account for trusted system.

that is indeet better, i was not able to find it online....
sandeep mathur
Respected Contributor

Re: How to disable password expiration on single account for trusted system.

go to SAM
-> Accounts for Users and Groups
->
Narendra Uttekar
Regular Advisor

Re: How to disable password expiration on single account for trusted system.

Thanks for the solution.