Operating System - HP-UX
1748181 Members
4093 Online
108759 Solutions
New Discussion юеВ

Re: Politics user problem

 
SOLVED
Go to solution
Eli Daniel
Super Advisor

Politics user problem

I have a problem with a policy server.

User policy exists that the user's password expires every 3 months
I need to exclude a patron of that policy
Where can I find the documentation, the steps to perform this task
17 REPLIES 17
Patrick Wallek
Honored Contributor
Solution

Re: Politics user problem

You got to love the "the policy applies to everyone except me" types.

This can be set through SAM by selecting the user and modifying the security policies for that user.

This could also be done from the command line with the modprpw command.

/usr/lbin/modprpw -m exptime=180 user-id

Where the number after exptime is the number of days before the password expires.

See the modprpw man page for more information.
Michael Steele_2
Honored Contributor

Re: Politics user problem

Hi

I would also use same for all user administration. Its much faster and reliable and you've got other more important things to do than waste an hour figureing out usermod arguements..
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: Politics user problem

Oops. Typo. Should read..."I would also use SAM..."
Support Fatherhood - Stop Family Law
Steven E. Protter
Exalted Contributor

Re: Politics user problem

Shalom,

sam and its successor smh have an interface that lets you mark a user password never to expire.

There is a similar option on Windows domain controllers, and LDAP systems released by Red Hat.

This is however an exception to security guidelines and can cause you to fail a security audit.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven Schweda
Honored Contributor

Re: Politics user problem

> This is however an exception to security
> guidelines and can cause you to fail a
> security audit.

Of course, if the principal outcome of
requiring users to change passwords
frequently is users posting their passwords
in their work areas using sticky notes, then
creating an exception for every user may
provide better security, auditors (and policy
makers) notwithstanding.
Steven E. Protter
Exalted Contributor

Re: Politics user problem

Personally, I think if a user can not remember a password and needs to use a postit note, thats a problem.

Data security is a serious issue in Corporate America and all over the globe.

Users should be able to use words in combination with numbers to create something memorable. If so, there should be no reason to write them down.

The exception two jobs ago was the organization president. I've dealt with these issues. Passwords are important enough that some time should be spent to remember them.

Everybody should have to change them periodically.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Eli Daniel
Super Advisor

Re: Politics user problem

really is an application service, the service sends information through a user, but there is a policy that every 3 months, users have to change the password.
The recommended option is to go to sam and deselect "password aging policies"
Michael Steele_2
Honored Contributor

Re: Politics user problem

Hi

What application please. PowerBroker?
Support Fatherhood - Stop Family Law
John Donovan
Regular Advisor

Re: Politics user problem

Looks like you have the "workaround", but I'm compelled to emphasize what others have written.

No user account should be have password expiration of less than 90 days. We have a wide variety of users. Most log in daily, while others log in anywhere from weekly to annually. Our policy is the same for all.

After 90 days of no activity, the account is locked. After an additional 30 days, the account is deleted. After this, a new user account must be requested.

NOTE: This is explained to every user and supported by mgmt. So, the users that don't log in after 120+ days know they must re-apply. Normally, they get the same login.

Application accounts are either locked or the password is maintained by sys admin staff. For those, we change the password every 90 days regardless if used or not.

Users that actually need access to an application account are provided sudo access. For example, all sys admin's use sudo for root commands and dba's for oracle commands.

Critical logins, including sys admins, root, oracle accounts are monitored for changes.

Of course, we have an exception request for those very, very rare occasions. We don't want to prevent anyone from doing there job, but any exceptions must be documented, validated, and approved by upper mgmt.

Hope this helps...
:-)
"I have not failed. I've just found 10,000 ways that won't work." - Thomas Edison