HPE Community
Operating System - HP-UX
1752618 Members
4782 Online
108788 Solutions
New Discussion юеВ

Re: Possible to enable SU password change?

 
SOLVED
Go to solution
David P Lavoie
Frequent Advisor

тАО01-27-2010 07:31 AM

тАО01-27-2010 07:31 AM

Possible to enable SU password change?

Hi,

On a system running HP UX 11.31, we had the following list of security requests:

- Disable all remote login except SSH-based
- Permit ssh login to user accounts only, no generic
- Password aging of 120 days

The only possible way to execute commands as generic account would be to su. The problem comes when the password expires, you can't su to that user without changing the password and you can't log as that specific user remotly.

What would be my options to allow user password changes without changing security settings? Is it possible?
0 Kudos
Reply
5 REPLIES 5
Thomas Vogt (CH)
Advisor

тАО01-27-2010 08:02 AM

тАО01-27-2010 08:02 AM

Re: Possible to enable SU password change?

Hi,

Just add the users which are allowed to remote login to the sudo Users. Changing passwords will not affecting sudo commands.

Hope it helps.

Cheers
- Thomas
Reply
David P Lavoie
Frequent Advisor

тАО01-27-2010 08:12 AM

тАО01-27-2010 08:12 AM

Re: Possible to enable SU password change?

Good point but I don't have sudo installed.
0 Kudos
Reply
OldSchool
Honored Contributor

тАО01-27-2010 10:39 AM

тАО01-27-2010 10:39 AM

Re: Possible to enable SU password change?

"What would be my options to allow user password changes without changing security settings? Is it possible? "

??

if you "su" to a user, then that user can change its own passwd. The trick is that you have to do that *before* it expires.

depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis.

If you allow that, you would then need to put in place some mechanism so that all users needing access to that account get the "new" password.

The "sudo" alternative is easier to manage once set up, as you only need *your* password, not that of the user you are trying to "su" to. Also, depending on your needs, it fairly trivial to set up, plus its downloadable.

There are other commercial systems that may work for this as well, like PowerKeeper and / or PowerBroker, but they can be costly and complex.

Given your situation, I think I'd install "sudo", unless you've some pressing reason not to.



Reply
David P Lavoie
Frequent Advisor

тАО01-27-2010 10:48 AM

тАО01-27-2010 10:48 AM

Re: Possible to enable SU password change?

"if you "su" to a user, then that user can change its own passwd. The trick is that you have to do that *before* it expires.

depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis. "

I already thought about going in that area. It will probably be my solution.

sudo is not because the users would get more rights that they actually need. I only want the user to be able to change the password before it expires, nothing else.
0 Kudos
Reply
OldSchool
Honored Contributor

тАО01-27-2010 11:23 AM

тАО01-27-2010 11:23 AM

Solution

Re: Possible to enable SU password change?

"sudo is not because the users would get more rights that they actually need. I only want the user to be able to change the password before it expires, nothing else."

not necessarily.......

I'll admit its been a while, but you *can* limit a sudo user (or group of users) to only allow the "password" command.

a) you should ne able to only permit the "su" as well, and possibly only the "su - " as well, but I'm not all that up on the syntax of the sudoers file anymore.

b) once they've "transitioned" to the su'd id, they can do whatever that id allows, which may or may not be ok.

c) sudo should lso allow them to run specific commands as a different (generic) user w/o requiring a password.

all depends on what you need and the set-up

I know option "a" works, as I used to have it configured that way at a call center (10,000 users at 3 sites....). Somebody always needed a passwd unlocked, so I set up specific users to be able to run the password command (as root)...and that's all they could do via sudo
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.