HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

MODPRPW password aging - redux..

 
SOLVED
Go to solution
rmueller58
Valued Contributor

MODPRPW password aging - redux..

All,

I have a school district I need to force a warning and day to expire, with a password life of 90 days.. I don't want to do force expire..

Can someone provide the
/usr/lbin/modprpw command to do that..

Say I want to force the expiration in 5 days with 5 days warning, and have then set the password life to 90..

My initial script is such
while read UUNAME X
do
/usr/lbin/modprpw -e -m exptm=120 ${UUNAME}
done < /tmp/esupass2.txt

if I use the -e it zeros time to change and locks the account. I believe I want to modify using the -l

Can someone provide insight, suggestions or methods? I'd appreciate it..

Rex
12 REPLIES
Tingli
Esteemed Contributor

Re: MODPRPW password aging - redux..

For a trust system, you can do it by editing file /etc/default/security.

For a normal system, you can use command:

passwd -m -x -n ... to set them up.
rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Tingli,

i have to do it by users, I can't define it by system, because the system houses multiple districts with differing policies.

I need to do it with the modprpw command from a userlist for each district.

I wish I could do it systemwide, but the political climate varies from school to school..
OldSchool
Honored Contributor
Solution

Re: MODPRPW password aging - redux..

them two examples at the bottom of the man page seem to indicate that you may only need:

/usr/lbin/modprpw -m exptm=120 ${UUNAME}

as the -l makes the change for local user while -n is available for nis.

the examples show:
modprpw -m mintm=12,syspnpw=NO,syschpw=YES someusr
-and-
modprpw -m timeod=Mo1700-2100,Fr1700-2100,Su0500-0900 joeblow

both of which modify parms on existing users.

I can't test it, but you might try dummying up an account an give it a shot???



rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Thanks OldSchool, I was trying to pass the -m multiple times, forgot about the ','
field1=var,field2=var

I don't want to expire now, I want to "warn" and expire in X days..

I am thinking it should look like this..

modprpw -m exptm=X,expwarn=Y username

rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

One quick final question

I am re-do one of our districts to get on a 90 password life time.

I want to use the modprpw to do it.. My thought is using the following command to read a user list in from STDIN,

/usr/lbin/modprpw â e -m lftm=90,exptm=5,expwarn=5 ${UUNAME}
done < mpsuser.txt

My question is do I need the "exptm?" If I am forcing with a "-e" ?

exptm=value

database u_exp=(value*86400).

Set password expiration time interval (days). 0 = expired. Same as non-trusted mode maximum time.


Sajjad Sahir
Honored Contributor

Re: MODPRPW password aging - redux..

Dear Rex

if u system is trusted u can use modprpw and getprpw etc...this is available only in trusted system

thanks and regards

Sajjad Sahir
rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Sajjid, yes we have a trusted system. My question remains:

My question is do I need the "exptm?" If I am forcing with a "-e" ?

OldSchool
Honored Contributor

Re: MODPRPW password aging - redux..

"/usr/lbin/modprpw -m lftm=90,exptm=5,expwarn=5 "

I doubt it. this appears to require the password change every 5 days, and you get five days warning...at 90 days, the account locks.

Assuming you want the users to change their passwords every 90 days and get warned 5 days before, something like:

/usr/lbin/modprpw -e -m exptm=90,expwarn=5

appears to be what you want.

the -e should force them to change their password the next time they attempt to login.
the exptm will required changes every 90 days going forward
the expwarn should give them 5 days notice
(however I've not tested this)
======================================================

"I want to use the modprpw to do it.. My thought is using the following command to read a user list in from STDIN,

/usr/lbin/modprpw -e -m lftm=90,exptm=5,expwarn=5 ${UUNAME}
done < mpsuser.txt"

uh...no. modprpw only wants one user name. you will have to write a little script the reads your file and loops, running modprpw once for each user read.

rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Old School,

That is the ticket!!

I Want to force a change now, then at Day 85 of 90 I want to WARN users of the pending action again..

I do have a WHILE script written to cat the username into the command..

while read UUNAME X
do
/usr/lbin/modprpw -m exptm=90,expwarn=5 ${UUNAME}
done < mpsuser.txt


My question is do I need to set the EXPWARN at Day 85 (i.e. expwarn=85, or expwarn=5)


Your thoughts? Don't want an annoying Warning for 85 days.


OldSchool
Honored Contributor

Re: MODPRPW password aging - redux..

from "man 1m modprw"
--------------------
expwarn=value
database u_pw_expire_warning=(value*86400).

Set password expiration warning time interval (days). 0 = none



-and-



from "man 4 prpwd"
------------------
u_pw_expire_warning:
This value, in seconds, is the time at which a warning will appear PRIOR TO THE EXPIRATION of the users password.



setting "expwarn=5" (as I pointed out bnefore) will set the warning time to "5 days notice" (which is also what he relevant manual pages indicate). Setting it to 85 will start warning them 85 days prior.....
rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Thanks OS..

That answered the question..

Points assigned, issue closed.
rmueller58
Valued Contributor

Re: MODPRPW password aging - redux..

Thanks OS and others