- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Possible to enable SU password change?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 07:31 AM
тАО01-27-2010 07:31 AM
On a system running HP UX 11.31, we had the following list of security requests:
- Disable all remote login except SSH-based
- Permit ssh login to user accounts only, no generic
- Password aging of 120 days
The only possible way to execute commands as generic account would be to su. The problem comes when the password expires, you can't su to that user without changing the password and you can't log as that specific user remotly.
What would be my options to allow user password changes without changing security settings? Is it possible?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 08:02 AM
тАО01-27-2010 08:02 AM
Re: Possible to enable SU password change?
Just add the users which are allowed to remote login to the sudo Users. Changing passwords will not affecting sudo commands.
Hope it helps.
Cheers
- Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 08:12 AM
тАО01-27-2010 08:12 AM
Re: Possible to enable SU password change?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 10:39 AM
тАО01-27-2010 10:39 AM
Re: Possible to enable SU password change?
??
if you "su" to a user, then that user can change its own passwd. The trick is that you have to do that *before* it expires.
depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis.
If you allow that, you would then need to put in place some mechanism so that all users needing access to that account get the "new" password.
The "sudo" alternative is easier to manage once set up, as you only need *your* password, not that of the user you are trying to "su" to. Also, depending on your needs, it fairly trivial to set up, plus its downloadable.
There are other commercial systems that may work for this as well, like PowerKeeper and / or PowerBroker, but they can be costly and complex.
Given your situation, I think I'd install "sudo", unless you've some pressing reason not to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 10:48 AM
тАО01-27-2010 10:48 AM
Re: Possible to enable SU password change?
depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis. "
I already thought about going in that area. It will probably be my solution.
sudo is not because the users would get more rights that they actually need. I only want the user to be able to change the password before it expires, nothing else.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2010 11:23 AM
тАО01-27-2010 11:23 AM
Solutionnot necessarily.......
I'll admit its been a while, but you *can* limit a sudo user (or group of users) to only allow the "password" command.
a) you should ne able to only permit the "su" as well, and possibly only the "su - " as well, but I'm not all that up on the syntax of the sudoers file anymore.
b) once they've "transitioned" to the su'd id, they can do whatever that id allows, which may or may not be ok.
c) sudo should lso allow them to run specific commands as a different (generic) user w/o requiring a password.
all depends on what you need and the set-up
I know option "a" works, as I used to have it configured that way at a call center (10,000 users at 3 sites....). Somebody always needed a passwd unlocked, so I set up specific users to be able to run the password command (as root)...and that's all they could do via sudo