HPE Community
Operating System - HP-UX
1753472 Members
4805 Online
108794 Solutions
New Discussion юеВ

Where is the inactivity lock set on a user on a trusted system?

 
Brian A. Scurlock_1
Frequent Advisor

тАО08-06-2008 02:12 PM

тАО08-06-2008 02:12 PM

Where is the inactivity lock set on a user on a trusted system?

I have an HPUX 11.11 system setup in trusted mode with a large number of users. I have default account policies setup that work for most users. I have singled out a group that will need custom account policies but I find doing this via sam to be extremely time consuming and tedious. I have used /usr/lbin/modprpw to successfully modify the acount policies to a custom configuration and verified that sam is ok with the changes but I cannot figure out how to change the account inactivity lock setting from the command line. I'm thinking this maybe handled outside of the modprpw/getprpw/tcb system. Any ideas?
Thanks in advance,
-Brian A. Scurlock
You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
8 REPLIES 8
Anshumali
Esteemed Contributor

тАО08-06-2008 11:30 PM

тАО08-06-2008 11:30 PM

Re: Where is the inactivity lock set on a user on a trusted system?

vi /etc/default/security
INACTIVITY_MAXDAYS=45

cheers!
Anshu
Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!
0 Kudos
Steven E. Protter
Exalted Contributor

тАО08-06-2008 11:49 PM

тАО08-06-2008 11:49 PM

Re: Where is the inactivity lock set on a user on a trusted system?

Shalom,

/etc/default/security

This file does permit you a lot of flexibility, but it will apply to all users.

To have two sets of policies and two groups of users would probably require a custom script.

Note that though I love it, trusted system is obsolete and not deployed in HP-UX 11.31

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Brian A. Scurlock_1
Frequent Advisor

тАО08-07-2008 06:27 AM

тАО08-07-2008 06:27 AM

Re: Where is the inactivity lock set on a user on a trusted system?

It appears that the inactivity lock is controlled by the u_llogin in /tcb/files/auth/system/default on a trusted system or in the individual user tcb files after the account is created. Since it appears that no command line interface is provided to update this field I think I will just bite the bullet and use sam to make this particular change.

-Brian
You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
Brian A. Scurlock_1
Frequent Advisor

тАО08-07-2008 07:09 AM

тАО08-07-2008 07:09 AM

Re: Where is the inactivity lock set on a user on a trusted system?

Corrected again...now that I have found the u_llogin parameter, I got some other hits on itrc. This can be updated with modprpw, the description provided in the modprpw man page does not say anything to suggest that this parameter controls the inactivity lock. The description in other man pages shows that this parameter controls the maximum amount of time in seconds between the current time ad the time of last login. Even further complicating things, the prpwd man page incorrectly refers to this parameter as u_max_llogin.

-Brian
You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
Tim Nelson
Honored Contributor

тАО08-07-2008 07:45 AM

тАО08-07-2008 07:45 AM

Re: Where is the inactivity lock set on a user on a trusted system?

If you are looking for the setting to control the amount of time from the last login/password change to the time that the account becomes disabled.

Then exptm=60 is the one.

e.g. If the user has not accessed their acount in 60 days then it becomes disabled.

This is also known as account lifetime.

show defaults
getprdef -m

show specific user
getprpw -m exptm user1

to set it
modprpw -m exptm=60 user1

Defaults are either set in the trusted system defaults file or /etc/default/security
0 Kudos
Brian A. Scurlock_1
Frequent Advisor

тАО08-07-2008 07:53 AM

тАО08-07-2008 07:53 AM

Re: Where is the inactivity lock set on a user on a trusted system?

This is not entirely correct. exptm updates the TCB database entry u_exp. u_exp Specifies when the password expires, when the password expires, the user account is locked. This has nothing to do with the time between last login activity and now or "inactivity."

-Brian


You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
Brian A. Scurlock_1
Frequent Advisor

тАО08-07-2008 07:55 AM

тАО08-07-2008 07:55 AM

Re: Where is the inactivity lock set on a user on a trusted system?

modprpw -m llog=(max time in seconds between now and last login) username
You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
Brian A. Scurlock_1
Frequent Advisor

тАО08-07-2008 07:58 AM

тАО08-07-2008 07:58 AM

Re: Where is the inactivity lock set on a user on a trusted system?

modprpw -m llog=(max time in seconds between now and last login) username
You can do anything you set your mind to when you have vision, determination, and an endless supply of expendable labor.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.