System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Password Life scripting -- modprpw

SOLVED
Go to solution
rmueller58
Valued Contributor

Password Life scripting -- modprpw

We are discussing the possibility of defining a password life of 90 days, currently the value is null. We have several school districts, our largest wants it the others do not.

I am wanting to work out the command for doing the district in question, I can get the users based on the HOMEDIR because we have segregated districts in this way,

/home/$DIST/$user

1st, question what is the MODPRPW command to define password life?

Is it possible to read from a file containing those users in the districts in question?

such as

for uuname in `cat districtuser.txt`
do
/usr/lbin/modprpw -m mintm= $uuname
done

What is the commandline option for defining the mintm? I noticed in the man pages it is 86400? is that hours or minutes?

Anyone else have a method I'd appreciate the help..

5 REPLIES
James R. Ferguson
Acclaimed Contributor
Solution

Re: Password Life scripting -- modprpw

Hi:

The 'modprpw' command applies to trusted systems.

> What is the commandline option for defining the mintm? I noticed in the man pages it is 86400? is that hours or minutes?

According to the manpages, the values are in days, althogh the database retains them in seconds. The value 86400 = (60*60*24) or the number of seconds in one day.

To read input, you could do:

while read UUNAME X
do
/usr/lbin/modprpw -m mintm=90 ${UUNAME}
done < districtuser.txt

...This assumes that each line of the input file contains a whitespace delimited account name as the first (perhaps only) field.

Regards!

...JRF...
Ganesan R
Honored Contributor

Re: Password Life scripting -- modprpw

Hi,

Few updates along with James reply. You can use getprpw command to know the existing values for the user. There are two kind of policies.

1.System level security policies. Applicable to all users.

2.User level security policies. Applicable to specific user.

# /usr/lbin/getprpw test
uid=101, bootpw=NO, audid=13, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1,
.......

If the values for exptm, lftm, mintm, and expwarn are equal to -1, this means that the user is using the system security policy options defined in SAM. Looking at this example:

# /usr/lbin/getprpw test2
uid=102, bootpw=NO, audid=14, audflg=1, mintm=2, maxpwln=-1, exptm=30, lftm=50,
spwchg=Thu Nov 21 18:07:34 2002, upwchg=-1, acctexp=-1, llog=-1, expwarn=2, usrp
.......

User test2 is not using the system security options (values are not equal to -1) exptm=30, lftm=50, mintm=2, expwarn=2

Changing the system security options in SAM will not have an impact on this user (test2). But you can change user security options with SAM or from the command line.


These are the policies related to password aging.

Password Aging Policies
exptm ==> Password Expiration Time (days)
expwarn ==> Password Expiration Warning Time (days)
lftm ==> Password Life Time (days)
mintm ==> Time Between Password Changes (days)


So whatever mention with modprpw will be in days.

Note that you need to set "exptm" for password expiration not "mintm" . "mintm" means ,after "mintm" days the user can change the password again to either a new
password or back to the old password (Time Between Password Changes)


Hope this helps.
Best wishes,

Ganesh.
rmueller58
Valued Contributor

Re: Password Life scripting -- modprpw

James,

Yes, I will have a user list with the userid on each line.

I would prefer to define it system wide, but we've got too many hands in the cookie jar. Since we are only a service provider for the district we've got to adjust on a district by district basis..

That helps a lot. I will also be define each account to expire, at same time.

So if I do the script it should look like this correct? (ADDING the "-e")

To read input, you could do:

while read UUNAME X
do
/usr/lbin/modprpw -e -m mintm=90 ${UUNAME}
done < districtuser.txt
James R. Ferguson
Acclaimed Contributor

Re: Password Life scripting -- modprpw

Hi (again):

Regarding your last question of adding '-e' to the command to look like:

/usr/lbin/modprpw -e -m mintm=90 ${UUNAME}

...yes, according to the manpages that is legal.

Regards!

...JRF...
rmueller58
Valued Contributor

Re: Password Life scripting -- modprpw

Not sure why I didn't close this at the time.. Sorry.