HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Need clarification for some output fo "passwd" command.

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

Need clarification for some output fo "passwd" command.

Hi

I am using HP-UX 10.20, 11.00, and 11.11.


My outputs:

A)

A-1) root@lgapps:/root > passwd -s tanney
tanney PS 05/28/09 14 28

A-2) root@lgapps:/root > passwd -s ze4egi
ze4egi PS

Questions:

why there is difference between the output of A-1 and A-2.

A-1 is showing something like "05/28/09 14 28 ", pls explain about this.

Why A-2 is not displaying anything like A-1.


B)

B-1)root@lgapps:/root > date
Mon Jun 22 08:39:01 CDT 2009

B-2)root@lgapps:/root> passwd -l rtanney

B-3)root@lgapps:/root > passwd -s rtanney
rtanney LK 06/18/09 14 28

Questions:

Actually i locked the account "rtanney" on "Mon Jun 22 08:39:01 CDT 2009". but in B-3 it is showing like "06/18/09".

pls explain

Questions:



25 REPLIES
OldSchool
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

had you checked the man page, you would have found the following:

"-s name
Display some password attributes associated with the specified name. Superuser privilege and non-trusted mode is required if the files repository is specified. For nisplus, there are no restrictions.

The format of the display will be:

name status mm/dd/yy min max warn

or, if password aging information is not present

name status

where status PS=passworded; LK=locked; and NP=no password."

===========================================================

RE: A-1 and A-2:

ex. A-1 has been set up with password aging, while ex A-2 doesn't have the same. I believe the 5/28/09 date in A-1 is the date the password was last set or changed, while the "14" refers to the minimum #days that must elapse before the password can be changed, and the "28" refers to the maximum #days between changes.


RE: B-3
as above, the "date" refers to the date the password was last changed, not the date the account was locked. You might run "last rtanney" to verify the account was accessed on that date.

Depending (I believe) on OS level and patching, the password aging features may or may not be enabled, or at least not by using /etc/security file (10.20 / 11.0 might be an issue)

Sunny123_1
Esteemed Contributor

Re: Need clarification for some output fo "passwd" command.

Hi

With reference to man page

-s name = Display some password attributes associated with the
specified name.Superuser privilege and non-trusted mode is required if the files repository is specified.For nisplus, there are no restrictions.


And in B-3 it shows LK means it is lock.

Regards
Sunny
Pete Randall
Outstanding Contributor

Re: Need clarification for some output fo "passwd" command.

You do have man pages on your systems, don't you? You might want to try reading them.


Pete

Pete
OldSchool
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

For your future reference, even if you don't have the man-pages installed, they are available here for 11iv1, v2 and v3:

http://docs.hp.com/en/hpuxman_pages.html


for 10.x and 11.0, see:

http://docs.hp.com/en/archive.html#HP-UX%20Reference%20%28Manpages%29
senthil_kumar_1
Super Advisor

Re: Need clarification for some output fo "passwd" command.

Hi All,

How to set the aging policies for the users already created and new users.


OldSchool
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

"How to set the aging policies for the users already created and new users."


For users already created, consult the previously noted "man" page(s) for "passwd".

To have the system default those values for new users, you might consult the docs referenced your other thread about this same subject in the following thread:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1245802763210+28353475&threadId=1328224

in particular, see the links provided by S.E.P. in the above,

you really need to start:

1) reading responses
2) reading the "man" pages
3) if necessary, start taking notes

Md. Farhan A Azam
Trusted Contributor

Re: Need clarification for some output fo "passwd" command.

Hi Senthil,

How to set the aging policies for the users already created and new users.
>> In HP-UX 11.11 folow the below steps to configure aging.

sam -> Auditing & Security -> System Securities Policies (It will ask you to convert the system in trusted mode if not in trusted mode)-> Yes -> It will show you (Successfully converted to trusted mode. Press Ok to continue) ->Ok ->Password Aging Policies -> Here Enable the Policy and configure as per your requirement.

OR

You may configure in /etc/default/security file also.


#vi /etc/default/security


PASSWORD_MAXDAYS=
PASSWORD_MINDAYS=
PASSWORD_WARNDAYS=



Hope it will help you.


thnx...farhan
Ganesan R
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

Hi,

You can set account and password policies using /etc/default/security file.

read this.. or man security
http://docs.hp.com/en/B3921-60631/security.4.html

Another way, convert the system to trusted one. You can set many policies in trusted system.
Best wishes,

Ganesh.
Steven E. Protter
Exalted Contributor

Re: Need clarification for some output fo "passwd" command.

Shalom,

On a simple, most basic level for 11.11 and 11.23 password policy can be set for the system with sam. I'm sure sam's replacement will do the same thing in 11.31.

What that does is set policy in /etc/default/security . Using sam to learn how these settings work is a reasonable path to take.

If you want better output on your original question, try passwd -sa

That provides a slightly more detailed display. The variations you see are based on when the passwd command was written. It is reasonable to expect improvements with newer versions of HP-UX.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Suraj K Sankari
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

Hi,
>>How to set the aging policies for the users already created and new users.

see the example below
For new user
# useradd â o -u 101 \ # UID
-g users \ # primary group
-G class,training \ # secondary groups
-c â student userâ \ # comment field
â m â d /home/user1 \ # make a home directory for the user
â s /usr/bin/sh \ # default shell
-e 1/2/2006 \ # define an account expiration date
user1 # username

For existing user
usermod â e 1/2/2006 user1 # change the userâ s account expiration

Suraj
Suraj K Sankari
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

Hi Again,
I am posting again because of garbage character.

>>How to set the aging policies for the users already created and new users.

see the example below
For new user
# useradd -o -u 101 \ # UID
-g users \ # primary group
-G class,training \ # secondary groups
-c "student user" \ # comment field
-m -d /home/user1 \ # make a home directory for the user
-s /usr/bin/sh \ # default shell
-e 1/2/2006 \ # define an account expiration date
user1 # username

For existing user
usermod -e 1/2/2006 user1 # change the user1's account expiration

Suraj
Sunny123_1
Esteemed Contributor

Re: Need clarification for some output fo "passwd" command.

Hi

Lookout for /et/default/security file.

http://www.docs.hp.com/en/B2355-60103/security.4.html


Regards
Sunny
senthil_kumar_1
Super Advisor

Re: Need clarification for some output fo "passwd" command.

Hi All,


Actually my server (HP-UX 11.00) is in standard mode.

But i am able to see some aging policies for some users and not for some users, is it possible.

Ex:

root@lgapps:/etc/default > passwd -s rtanney
rtanney LK 06/18/09 14 28


root@lgapps:/etc/default > passwd -s ze4egi
ze4egi PS


Pls explain me the difference.

Ganesan R
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

Hi Senthil,

The two letter comes just after user name says the status of the account, where possible status are
PS=passworded;
LK=locked; and
NP=no password.

Other parameter indicates the account/password aging details.
Best wishes,

Ganesh.
Sunny123_1
Esteemed Contributor

Re: Need clarification for some output fo "passwd" command.

Hi Senthil

The date is the date the password was last set or changed,the "14" refers to the minimum days that must elapse before the password can be changed, and the "28" refers to the maximum days between changes.


Regards
Sunny
Steven E. Protter
Exalted Contributor

Re: Need clarification for some output fo "passwd" command.

Shalom,

For 11.00 the passwd -sa program is less advanced, as you already know.

The /etc/default/security implementation is possible though maybe not with sam.

Try a man page on /etc/default/security if you need more details.

This should be something we can get done.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
senthil_kumar_1
Super Advisor

Re: Need clarification for some output fo "passwd" command.

Hi All,

What am asking is that why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode (but not in trusted mode.).


Pls explain me.

Solution

Re: Need clarification for some output fo "passwd" command.

>why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode

In standard mode, you can have password aging established. See passwd(4):
Password aging is put in effect for a particular user if his encrypted password in the password file is followed by a comma and a non-null string of characters ...

So what do the passwd entries look like for "rtanney" and ze4egi"?
Suraj K Sankari
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

Hi,

Please provide the output of below commands
#passwd -s -a tanney and
#passwd -s -a ze4egi

From the man page of passwd I got this

-s [-a] Display password attributes for all users in the password file. The -a option must be used in conjunction with the -s option when no name is specified. For nisplus, this will display entries in the NIS+ passwd table in the local domain. For files, this is restricted to superuser.

Suraj
OldSchool
Honored Contributor

Re: Need clarification for some output fo "passwd" command.

"What am asking is that why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode (but not in trusted mode.).


Pls explain me."

because, at least from 11.0 on up (and possibly even earlier versions), password aging doesn't require a trusted system.

Password history, and various construction requirements (min length, how many of what characters and so forth) required a patch at 11.0 if I remember correctly.

don't recall about 11vX and up. Shadow password might be required, or trusted system.
senthil_kumar_1
Super Advisor

Re: Need clarification for some output fo "passwd" command.

Hi All,

I googled and got some information regarding password system.

1) standard password system:

It is a default system, Encrypted passwords are stored in "/etc/passwd".

2) Trusted password system:

Encrypted passwords are stored in "/tcb/files/auth".

on and before hpux 11.23 (11.v2)

To convert to trusted system:

# sam --> Auditing and Security ---> Convert to Trusted System ---> yes

3) Shadow password system:

Encrypted passwords are stored in /etc/shadow

From hpux 11.31.

To convert to shadow system.

# pwconv


My questions:

Are all above mentioned informations are correct?

Can we configure trusted system in HPUX 11.31?

What is the advantages and disadvantages between trusted system and shadow system.
Sunny123_1
Esteemed Contributor

Re: Need clarification for some output fo "passwd" command.

Hi

Yes you are correct for all 3 steps.You can also use command line to conert the system in trusted mode

To convert
# /usr/lbin/tsconvert
To unconvert
# /usr/lbin/tsconvert -r

Regards
Sunny
James R. Ferguson
Acclaimed Contributor

Re: Need clarification for some output fo "passwd" command.

Hi:

> Can we configure trusted system in HPUX 11.31?

You can, but why do that when 11.31 is stated to be the last release to support the TCB model !?!

Look at the "WARNINGS" section here:

http://docs.hp.com/en/B2355-60130/pwconv.1M.html

You would be far better off using the shadow password implementation and the new 11.31 security features:

http://docs.hp.com/en/5992-3387/index.html

Regards!

...JRF...

Steven E. Protter
Exalted Contributor

Re: Need clarification for some output fo "passwd" command.

Shalom,

Trusted system is orphaned technology. I personally really liked it and continue to use it on older systems.

Option three in your last post, Shadow password is more Linux like and a good option so that your current generation of systems is compatible with your next generation of systems.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com