cancel
Showing results for 
Search instead for 
Did you mean: 

Politics user problem

SOLVED
Go to solution
Eli Daniel
Super Advisor

Politics user problem

I have a problem with a policy server.

User policy exists that the user's password expires every 3 months
I need to exclude a patron of that policy
Where can I find the documentation, the steps to perform this task
17 REPLIES
Patrick Wallek
Honored Contributor
Solution

Re: Politics user problem

You got to love the "the policy applies to everyone except me" types.

This can be set through SAM by selecting the user and modifying the security policies for that user.

This could also be done from the command line with the modprpw command.

/usr/lbin/modprpw -m exptime=180 user-id

Where the number after exptime is the number of days before the password expires.

See the modprpw man page for more information.
Michael Steele_2
Honored Contributor

Re: Politics user problem

Hi

I would also use same for all user administration. Its much faster and reliable and you've got other more important things to do than waste an hour figureing out usermod arguements..
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: Politics user problem

Oops. Typo. Should read..."I would also use SAM..."
Support Fatherhood - Stop Family Law
Steven E. Protter
Exalted Contributor

Re: Politics user problem

Shalom,

sam and its successor smh have an interface that lets you mark a user password never to expire.

There is a similar option on Windows domain controllers, and LDAP systems released by Red Hat.

This is however an exception to security guidelines and can cause you to fail a security audit.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven Schweda
Honored Contributor

Re: Politics user problem

> This is however an exception to security
> guidelines and can cause you to fail a
> security audit.

Of course, if the principal outcome of
requiring users to change passwords
frequently is users posting their passwords
in their work areas using sticky notes, then
creating an exception for every user may
provide better security, auditors (and policy
makers) notwithstanding.
Steven E. Protter
Exalted Contributor

Re: Politics user problem

Personally, I think if a user can not remember a password and needs to use a postit note, thats a problem.

Data security is a serious issue in Corporate America and all over the globe.

Users should be able to use words in combination with numbers to create something memorable. If so, there should be no reason to write them down.

The exception two jobs ago was the organization president. I've dealt with these issues. Passwords are important enough that some time should be spent to remember them.

Everybody should have to change them periodically.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Eli Daniel
Super Advisor

Re: Politics user problem

really is an application service, the service sends information through a user, but there is a policy that every 3 months, users have to change the password.
The recommended option is to go to sam and deselect "password aging policies"
Michael Steele_2
Honored Contributor

Re: Politics user problem

Hi

What application please. PowerBroker?
Support Fatherhood - Stop Family Law
John Donovan
Regular Advisor

Re: Politics user problem

Looks like you have the "workaround", but I'm compelled to emphasize what others have written.

No user account should be have password expiration of less than 90 days. We have a wide variety of users. Most log in daily, while others log in anywhere from weekly to annually. Our policy is the same for all.

After 90 days of no activity, the account is locked. After an additional 30 days, the account is deleted. After this, a new user account must be requested.

NOTE: This is explained to every user and supported by mgmt. So, the users that don't log in after 120+ days know they must re-apply. Normally, they get the same login.

Application accounts are either locked or the password is maintained by sys admin staff. For those, we change the password every 90 days regardless if used or not.

Users that actually need access to an application account are provided sudo access. For example, all sys admin's use sudo for root commands and dba's for oracle commands.

Critical logins, including sys admins, root, oracle accounts are monitored for changes.

Of course, we have an exception request for those very, very rare occasions. We don't want to prevent anyone from doing there job, but any exceptions must be documented, validated, and approved by upper mgmt.

Hope this helps...
:-)
"I have not failed. I've just found 10,000 ways that won't work." - Thomas Edison
Steven Schweda
Honored Contributor

Re: Politics user problem

> Users should be able to use words in
> combination with numbers to create
> something memorable.

I agree. However, few people these days have
only one password to remember, and
remembering many good passwords may be more
difficult than remembering one. Every
organization gets to set its own policy, but
choosing an optimal password lifetime is, I
claim, not a trivial problem.

Everything's complicated.
Nick W
Frequent Advisor

Re: Politics user problem

re users having to remember multiple passwords & sticky notes...

One solution is for users to use a Password Vault Application - I use KeePass, which also has approval by my IT organisation.

Main Advantage is that users can then apply more rigorous passwords for individual accounts, which can then be made unique - so should a password ever be compromised/discovered, then the damage limitation can be more effective (alternative scenario is that a very few passwords are used all over - which increases the risk for damage in the event of compromise/password discovery...)

Hope it helps

Nick 'dubya'
Eli Daniel
Super Advisor

Re: Politics user problem

The option SAM "Modify Security Policies..." "Password Aging Policies.."


if this disable, the password never expire?


Note: view attachment

Patrick Wallek
Honored Contributor

Re: Politics user problem

Correct.
Eli Daniel
Super Advisor

Re: Politics user problem

patrick one last question, according to the attachment as it is the actual expiration time of this password 90 days or 180 days? I do not understand these options attachment
Vishu
Trusted Contributor

Re: Politics user problem

Hi Eli,

90 days refers that your password will get expired after 90 days and 180 days in your attachment says that even if you dont change your password after your password expiration time for another 90 days i.e. total of 180 days, your user account will get locked.
Eli Daniel
Super Advisor

Re: Politics user problem

So this would be a bad practice?
Time Between Password Changes (days): 1
Password Expiration Time (days): 90
Password Expiration Warning Time (days): 7
Password Life Time (days): 180


the best practice should be:
Time Between Password Changes (days): 1
Password Expiration Time (days): 90
Password Expiration Warning Time (days): 7
Password Life Time (days): 90
this is correct?
I need is to force the user to change their password after 90 days
(with the single-user exepcion)
Eli Daniel
Super Advisor

Re: Politics user problem

Thanks