HPE Community
Operating System - HP-UX
1752703 Members
6471 Online
108789 Solutions
New Discussion

Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" commands in Shadow Mode.

 
Mike755
Advisor

‎09-13-2013 08:34 AM

‎09-13-2013 08:34 AM

Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" commands in Shadow Mode.

With trusted system configurations I was use to using command like:

 

/usr/lbin/modprpw -k <username>      (This re-activates accounts)

/usr/lbin/modprpw -v <username>      (This resets age.)

 

I wrote a script that ran (via a 3rd party scheduler) that would update all our back office user account every 85 days as we had aging set to 90 days. i,e, run this prior to those accounts expiring

 

This came in handy when dealing with user accounts not being logged into the command line to be warned about nearing expiration.  Plus quick and easy to make mass changes.

 

Now that we are in "Shadow Mode" on 11.31 I'm hoping the "userdbxxx" type commands will have something similar for folks to use?

 

Does anyone have a quick list of sorts for all the features commands like userdbget/userdbset have to offer?  Like to be able to script something out similar with Trusted Systems where mass user account password administration tasks can take place.

 

 

 

Thanks, Mike

Legalize Freedom
0 Kudos
Reply
4 REPLIES 4
Mike755
Advisor

‎09-13-2013 10:34 AM

‎09-13-2013 10:34 AM

Re: Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" comma

One thing I've been diging into is how SMH handles password administration.  You can get some command line syntax within the GUI but it's limited.  Back in the day you could get into the "sam.log" and grab the syntax used when in SAM.

 

Is there a log somewhere on the unix server for the SMH activity that I might be able to gather more information in this area to manage password aging? 

Thanks, Mike

Legalize Freedom
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎09-13-2013 12:09 PM

‎09-13-2013 12:09 PM

Re: Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" comma

I'm currently experimenting with SMH and am using the browser based version.

 

I went into the "Accounts For Users And Groups" section and selected a user.

 

When modifying the user account there are 4 buttons on the bottom of the screen (Modify, Preview, Cancel and Help).  If you set all of the information you want to change you can then press the "Preview" button and it will show you the command that will run.

 

There are logs in /var/opt/hpsmh/logs, but I haven't found anything in those yet that will reflect what command was run.

0 Kudos
Reply
Mike_Bray755
New Member

‎10-11-2013 12:18 PM

‎10-11-2013 12:18 PM

Re: Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" comma

I"m still looking for information in these areas so seems like something not everyone understands how to do with Shadow Mode replacing "Trusted Systems".

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎10-12-2013 12:21 AM

‎10-12-2013 12:21 AM

Re: Replacement for "modprpw" commands on 11.31 which now uses "userdbxxx" comma

> /usr/lbin/modprpw -v <username>      (This resets age.)

 

As long as the password has not expired yet, you can extend its life in shadow mode with:

passwd -x <days_until_new_expiration> <username>

 If you want to keep the same aging value as previously set, you'll apparently have to be a bit tricky:

/bin/passwd -x $(logins -xo -l <username> | cut -d : -f 11) <username>

 

But if you have passwords that must stay the same indefinitely, a periodic refresh is just fooling yourself (and possibly the security auditors): you are still violating the spirit of the password expiration policy.

 

If such passwords are really required, the proper response would be to get a policy waiver for them, protect them some other way (e.g. by allowing their use from a strictly limited set of IP addresses only), and document them. Then make these accounts not expire:

/usr/bin/passwd -x -1 <username>

 (i.e. set the new password lifetime to minus one).

 

If the password has already expired, the standard way to re-activate it in shadow mode would be to just assign it a new password as root, with "passwd <username>". Yes, this does not allow easy re-use of the old password: this can be considered a design feature to discourage the constant re-use of old passwords.

 

 

>/usr/lbin/modprpw -k <username>      (This re-activates accounts)

 

An account that has been locked because of too many failed login attempts can be unlocked like this in shadow mode:

userdbset -d -u <username> auth_failures

(This is given as an example in "man 4 security", in paragraph describing the use of the AUTH_MAXTRIES setting.)

 

Likewise, an account locked because of inactivity (if INACTIVITY_MAXDAYS has been set) can be unlocked in shadow mode with this command:

userdbset -d -u <username> login_time

 

If you want a list of user accounts with an expired/locked/otherwise abnormal password, the "userstat -a" command does what you want.

 

> Does anyone have a quick list of sorts for all the features commands like userdbget/userdbset have to offer?

 

In fact your HP-UX system already has such a list, in file /etc/security.dsc. If I recall correctly, it contains rather extensive comments describing the file format.

 

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.