System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Possible to enable SU password change?

SOLVED
Go to solution
David P Lavoie
Frequent Advisor

Possible to enable SU password change?

Hi,

On a system running HP UX 11.31, we had the following list of security requests:

- Disable all remote login except SSH-based
- Permit ssh login to user accounts only, no generic
- Password aging of 120 days

The only possible way to execute commands as generic account would be to su. The problem comes when the password expires, you can't su to that user without changing the password and you can't log as that specific user remotly.

What would be my options to allow user password changes without changing security settings? Is it possible?
5 REPLIES

Re: Possible to enable SU password change?

Hi,

Just add the users which are allowed to remote login to the sudo Users. Changing passwords will not affecting sudo commands.

Hope it helps.

Cheers
- Thomas
David P Lavoie
Frequent Advisor

Re: Possible to enable SU password change?

Good point but I don't have sudo installed.
OldSchool
Honored Contributor

Re: Possible to enable SU password change?

"What would be my options to allow user password changes without changing security settings? Is it possible? "

??

if you "su" to a user, then that user can change its own passwd. The trick is that you have to do that *before* it expires.

depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis.

If you allow that, you would then need to put in place some mechanism so that all users needing access to that account get the "new" password.

The "sudo" alternative is easier to manage once set up, as you only need *your* password, not that of the user you are trying to "su" to. Also, depending on your needs, it fairly trivial to set up, plus its downloadable.

There are other commercial systems that may work for this as well, like PowerKeeper and / or PowerBroker, but they can be costly and complex.

Given your situation, I think I'd install "sudo", unless you've some pressing reason not to.



David P Lavoie
Frequent Advisor

Re: Possible to enable SU password change?

"if you "su" to a user, then that user can change its own passwd. The trick is that you have to do that *before* it expires.

depending your system, "passwd" or "modprpw" should be able to tell you which accounts are in need of any update. Of course, that needs to then be run on regular basis. "

I already thought about going in that area. It will probably be my solution.

sudo is not because the users would get more rights that they actually need. I only want the user to be able to change the password before it expires, nothing else.
OldSchool
Honored Contributor
Solution

Re: Possible to enable SU password change?

"sudo is not because the users would get more rights that they actually need. I only want the user to be able to change the password before it expires, nothing else."

not necessarily.......

I'll admit its been a while, but you *can* limit a sudo user (or group of users) to only allow the "password" command.

a) you should ne able to only permit the "su" as well, and possibly only the "su - " as well, but I'm not all that up on the syntax of the sudoers file anymore.

b) once they've "transitioned" to the su'd id, they can do whatever that id allows, which may or may not be ok.

c) sudo should lso allow them to run specific commands as a different (generic) user w/o requiring a password.

all depends on what you need and the set-up

I know option "a" works, as I used to have it configured that way at a call center (10,000 users at 3 sites....). Somebody always needed a passwd unlocked, so I set up specific users to be able to run the password command (as root)...and that's all they could do via sudo