HPE Community
Operating System - HP-UX
1753330 Members
5054 Online
108792 Solutions
New Discussion юеВ

Re: password aging policies in HP-UX

 
SOLVED
Go to solution
T G Manikandan
Honored Contributor

тАО03-31-2009 02:40 AM

тАО03-31-2009 02:40 AM

Re: password aging policies in HP-UX

Unless your server is converted to trusted which means you have the /tcb directory , the /etc/default/security file and all its parameters work.

Without converting to a trusted system , the password aging policies dont work, except the changes which you can do with /etc/passwd file for the non-trusted systems.
Reply
Md. Farhan A Azam
Trusted Contributor

тАО03-31-2009 02:40 AM

тАО03-31-2009 02:40 AM

Re: password aging policies in HP-UX

Hi Senthil,

Fisrt check that your system is in trusted mode or not.

If not then -
#sam> Press "Return" to continue> Auditing and Security> System Security Policies> (Do you want to convert to a Trusted System now?)Press on Yes> ok> Select [Password Aging Policies]> Enable the Password Aging:> then change the value as per your requirement.

Thnx...Farhan
Reply
Md. Farhan A Azam
Trusted Contributor

тАО03-31-2009 02:45 AM

тАО03-31-2009 02:45 AM

Re: password aging policies in HP-UX

Hi,

#sam> Press "Return" to continue> Auditing and Security> System Security Policies> Select [Password Aging Policies], from here you can check password aging plocies.

Thnx...Farhan
Reply
Bill Hassell
Honored Contributor

тАО03-31-2009 03:18 AM

тАО03-31-2009 03:18 AM

Re: password aging policies in HP-UX

> ... password aging policies of the user such as minimum days, maximum days, warning days, date of last password change and password expire date.

Other than the expiration time and the minimum time before another password change can be made, there are no other password controls available on your system. The /etc/default/security file must be created by you but read the man page for security. There just a couple of options that will work -- all the others will be ignored until you convert to a Trusted System. Depending on your version of HP-UX, you may also choose Shadow Password protection or Security Enhancement/Containment.


Bill Hassell, sysadmin
Reply
senthil_kumar_1
Super Advisor

тАО06-25-2009 09:09 AM

тАО06-25-2009 09:09 AM

Re: password aging policies in HP-UX

Hi All,

Just now i converted my hpux in to trusted mode using SAM.

Now i am able to find the folder "/tcb/files/auth"

My problem is just now i have created one user, i am not able to change the password for that user.

Ex:

# useradd sentest

# passwd sentest

Password cannot be changed. Reason: Cannot access protected password entry.

I am getting the above error.

And i am not able to run the command "getprpw".

Ex:

root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found.

root@lgsna:/tcb/files/auth/r > usr/lbin/getprpw sentest
sh: usr/lbin/getprpw: not found.

My questions:

1) How to set / reset the password when server is at trusted mode.

2) How to get the command "getprpw".





0 Kudos
Reply
OldSchool
Honored Contributor

тАО06-25-2009 10:13 AM

тАО06-25-2009 10:13 AM

Re: password aging policies in HP-UX

Ganesan R noted
"# /usr/lbin/getprpw test"


-and you did-


"root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found."

do *you* see the difference? do you know at least 2 ways to correct the issue?

hint: what's your path?


Reply
OldSchool
Honored Contributor

тАО06-25-2009 10:20 AM

тАО06-25-2009 10:20 AM

Re: password aging policies in HP-UX

and if all you need are the min days / max days / number of days warning, that should work on an "untrusted" system....at least it did on 11.0 w/ patches applied

Reply
senthil_kumar_1
Super Advisor

тАО06-29-2009 04:48 AM

тАО06-29-2009 04:48 AM

Re: password aging policies in HP-UX

Hi All,

i have converted my system into trusted.

I would like to practice all the features of trusted system like "getprpw", "modprpw",
"configuring /etc/defaults/security", "password aging policies" and "auditing".


So i need best guide (pdf / html) to practice above things.

0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-29-2009 04:54 AM

тАО06-29-2009 04:54 AM

Re: password aging policies in HP-UX

Hi Senthil:

I trust (no pun intended) that you realize that Trusted Sysem security is deprecated with 11.31 and that the 11.31 release is the last that will support it.

In my opinion, you would be in a better postion to convert to a shadow implementation and begin to explore the evolving features built upon that.

http://docs.hp.com/en/5992-3387/index.html

Regards!

...JRF...
Reply
Steven E. Protter
Exalted Contributor

тАО06-29-2009 06:02 AM

тАО06-29-2009 06:02 AM

Re: password aging policies in HP-UX

Shalom again,

/usr/lbin/getprpw test

This and the associated comands will work on a trusted system.

passwd -sa will provide you a good report and flag users that have not logged in and changed their passwords recently.

Trusted system is as JRF notes orphan technology, and you may wish to study alternatives so that your future HP-UX 11 v 4 systems will work with older systems.

Shadow password is available from http://software.hp.com and may be built into 11.31. Shadow password is based on Linux which will make it easier not to remember two different rule sets when dealing with multi platform systems.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.