HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

password aging policies in HP-UX

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

password aging policies in HP-UX

Hi

I want to view the password aging policies of the user such as minimum days, maximum days, warning days, date of last password change and password expire date.

24 REPLIES
Ganesan R
Honored Contributor

Re: password aging policies in HP-UX

Hi Senthilkumar,

Use this command.

#/usr/lbin/getprpw
Best wishes,

Ganesh.
Steven E. Protter
Exalted Contributor

Re: password aging policies in HP-UX

Shalom,

See /etc/default/security

There is a man page and current settings can be viewed.

http://www.docs.hp.com/en/B2355-60103/security.4.html

http://docs.hp.com/en/B2355-60127/security.4.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ganesan R
Honored Contributor

Re: password aging policies in HP-UX

# /usr/lbin/getprpw test
uid=101, bootpw=NO, audid=13, audflg=1, mintm=2, maxpwln=-1, exptm=30, lftm=40,
spwchg=Thu Nov 21 18:07:34 2002, upwchg=-1, acctexp=-1, llog=-1, expwarn=2, usrp
ick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DF
T, timeod=-1, slogint=Thu Nov 21 16:08:10 2002, ulogint=Thu Nov 21 16:07:13 2002
, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000100


Password Format Policies:

maxpwln ==> Maximum Password Length
nullpw ==> Allow Null Passwords
rstrpw ==> Use Restriction Rules
usrpick ==> User Specifies
syschpw ==> System Generates Character
sysltpw ==> System Generates Letters only
syspnpw ==> System Generates Pronounceable

Password Aging Policies

exptm ==> Password Expiration Time (days)
expwarn ==> Password Expiration Warning Time (days)
lftm ==> Password Life Time (days)
mintm ==> Time Between Password Changes (days)

NOTE: If password aging is disabled, all above parameters are set
to 0.

General User Account Policies

bootpw ==> Require Login Upon Boot To Single-User State
llog ==> Maximum Inactive Time (days)
umaxlntr ==> Unsuccessful login Tries Allowed

NOTE: If Lock Inactive Accounts is disabled, llog is set to 0.

Terminal Security Policies

dlylntr ==> Delay Between Login Tries (sec)
lntmout ==> Login Timeout Value (sec)
Best wishes,

Ganesh.
Sajjad Sahir
Honored Contributor

Re: password aging policies in HP-UX

Dear Senthil

configuration file is /etc/defualt/security
u can do passwd length passwd aging also a number of thing in this file see the above posting also


thanks and regards

Sajjad Sahir
senthil_kumar_1
Super Advisor

Re: password aging policies in HP-UX

I get following output when i tried to execute this command.

root@lgapps:/root > /usr/lbin/getprpw test
System is not trusted.


Pls help me.
Sajjad Sahir
Honored Contributor

Re: password aging policies in HP-UX


Dear Senthil

this is available in trusted system
modprpw, getprpw etc..

u system is not trusted.

u can do passwd aging a lot of things in /etc/default/security file see more parameters from there

thanks and regards

Sajjad Sahir
senthil_kumar_1
Super Advisor

Re: password aging policies in HP-UX

There is no file "/etc/default/security" in my system.
Ganesan R
Honored Contributor

Re: password aging policies in HP-UX

Hi Senthilkumar,

If your system is not converted as trusted, then you cannot use modprpw,getprpw commands.

But still you can set password policies on /etc/default/security file.

see man security

Many things you can do with security.

If you want to know existing password status use the below command

#passwd -sa -> for all users
#passwd -s -> for individual user
Best wishes,

Ganesh.
Johnson Punniyalingam
Honored Contributor

Re: password aging policies in HP-UX

Hi Senthil Kumar,

On non-trusted systems, general password policy is set by the week, not the day. That is why you had to run a special command, shown above to expire a user the next day.

The passwd -s output is still meaningful. After 7 days if not used, both accounts will be locked.

You have considerable flexibility in setting policy on a non-trusted sysetm.

/etc/default/security configuration will let you set general policy to meet your organizations guidelines.


Thanks,
Johnson
Problems are common to all, but attitude makes the difference
T G Manikandan
Honored Contributor

Re: password aging policies in HP-UX

Unless your server is converted to trusted which means you have the /tcb directory , the /etc/default/security file and all its parameters work.

Without converting to a trusted system , the password aging policies dont work, except the changes which you can do with /etc/passwd file for the non-trusted systems.
Md. Farhan A Azam
Trusted Contributor

Re: password aging policies in HP-UX

Hi Senthil,

Fisrt check that your system is in trusted mode or not.

If not then -
#sam> Press "Return" to continue> Auditing and Security> System Security Policies> (Do you want to convert to a Trusted System now?)Press on Yes> ok> Select [Password Aging Policies]> Enable the Password Aging:> then change the value as per your requirement.

Thnx...Farhan
Md. Farhan A Azam
Trusted Contributor

Re: password aging policies in HP-UX

Hi,

#sam> Press "Return" to continue> Auditing and Security> System Security Policies> Select [Password Aging Policies], from here you can check password aging plocies.

Thnx...Farhan
Bill Hassell
Honored Contributor

Re: password aging policies in HP-UX

> ... password aging policies of the user such as minimum days, maximum days, warning days, date of last password change and password expire date.

Other than the expiration time and the minimum time before another password change can be made, there are no other password controls available on your system. The /etc/default/security file must be created by you but read the man page for security. There just a couple of options that will work -- all the others will be ignored until you convert to a Trusted System. Depending on your version of HP-UX, you may also choose Shadow Password protection or Security Enhancement/Containment.


Bill Hassell, sysadmin
senthil_kumar_1
Super Advisor

Re: password aging policies in HP-UX

Hi All,

Just now i converted my hpux in to trusted mode using SAM.

Now i am able to find the folder "/tcb/files/auth"

My problem is just now i have created one user, i am not able to change the password for that user.

Ex:

# useradd sentest

# passwd sentest

Password cannot be changed. Reason: Cannot access protected password entry.

I am getting the above error.

And i am not able to run the command "getprpw".

Ex:

root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found.

root@lgsna:/tcb/files/auth/r > usr/lbin/getprpw sentest
sh: usr/lbin/getprpw: not found.

My questions:

1) How to set / reset the password when server is at trusted mode.

2) How to get the command "getprpw".





OldSchool
Honored Contributor

Re: password aging policies in HP-UX

Ganesan R noted
"# /usr/lbin/getprpw test"


-and you did-


"root@lgsna:/tcb/files/auth/r > getprpw sentest
sh: getprpw: not found."

do *you* see the difference? do you know at least 2 ways to correct the issue?

hint: what's your path?


OldSchool
Honored Contributor

Re: password aging policies in HP-UX

and if all you need are the min days / max days / number of days warning, that should work on an "untrusted" system....at least it did on 11.0 w/ patches applied

senthil_kumar_1
Super Advisor

Re: password aging policies in HP-UX

Hi All,

i have converted my system into trusted.

I would like to practice all the features of trusted system like "getprpw", "modprpw",
"configuring /etc/defaults/security", "password aging policies" and "auditing".


So i need best guide (pdf / html) to practice above things.

James R. Ferguson
Acclaimed Contributor

Re: password aging policies in HP-UX

Hi Senthil:

I trust (no pun intended) that you realize that Trusted Sysem security is deprecated with 11.31 and that the 11.31 release is the last that will support it.

In my opinion, you would be in a better postion to convert to a shadow implementation and begin to explore the evolving features built upon that.

http://docs.hp.com/en/5992-3387/index.html

Regards!

...JRF...
Steven E. Protter
Exalted Contributor

Re: password aging policies in HP-UX

Shalom again,

/usr/lbin/getprpw test

This and the associated comands will work on a trusted system.

passwd -sa will provide you a good report and flag users that have not logged in and changed their passwords recently.

Trusted system is as JRF notes orphan technology, and you may wish to study alternatives so that your future HP-UX 11 v 4 systems will work with older systems.

Shadow password is available from http://software.hp.com and may be built into 11.31. Shadow password is based on Linux which will make it easier not to remember two different rule sets when dealing with multi platform systems.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Bill Hassell
Honored Contributor

Re: password aging policies in HP-UX

> getprpw not found

This is correct. Only root can use modprpw and getprpw and they are located in a special directory: /usr/lbin. This directory should be made part of root's PATH. Add it to root's .profile like this:

PATH=$PATH:/usr/lbin

Then logout and login as root and not getprpw will work without a full path (your test above was missing the leading "/", always required for fullpath names.

> There is no file "/etc/default/security" in my system.

Correct. There is no security file -- you must create it by first reading the man page: security

Then add the features that you want. NOTE: spelling must be exact and there will never be any error message when you have an error in the security file. Also note: unlike virtually any other configuration file, a # character ANYWHERE on the line causes the entire line to be ignored (silently).

> So i need best guide (pdf / html) to practice above things.

Bookmark this location for everything there is to know about HP-UX:

http://docs.hp.com

And as is true for all Unix systems, the man page is the first place to look:

man getprpw
man modprpw
man security

And be sure to read the bottom of the man page where it says: "See also"

Now you did not show you release number (10.20, 11.00, 11.11, etc) so some of the comments above do not apply and some features are not found or are incomplete if you have not applied any patches.


Bill Hassell, sysadmin
Suraj K Sankari
Honored Contributor

Re: password aging policies in HP-UX

Hi Senthil,

Download the pdf file of "HP-UX System Administrator's Guide: Security Management HP-UX 11i Version 3" from the below link.

http://docs.hp.com/en/5992-3387/5992-3387.pdf

Suraj
senthil_kumar_1
Super Advisor

Re: password aging policies in HP-UX

Hi All,

Thanks a lot for you suggestoins.

We are still using HPUX 11.00 and 11.11.

We dont have any single server with HPUX 11iV3, So i can not practice myself in 11iv3.

And i want to learn all the important configurations related to trusted system, since i have to the currently available HPUX 11.00 and 11.11.

Mainly i want notes for Password aging policies and auditing and others (If anything is important.)
Ganesan R
Honored Contributor
Solution

Re: password aging policies in HP-UX

Hi Senthil,

Then you read this....

http://docs.hp.com/en/B2355-90121/index.html
Best wishes,

Ganesh.
OldSchool
Honored Contributor

Re: password aging policies in HP-UX

"I would like to practice all the features of trusted system like "getprpw", "modprpw",
"configuring /etc/defaults/security", "password aging policies" and "auditing".

So i need best guide (pdf / html) to practice above things."


I'm not sure what there is to "practice". the settings for each OS revision are quite specific as to what they do and how you set them (and the defaults). In addition, "auditing" as relates to what I've used it for is system accounting, which is something else entirely.