HPE Community
Operating System - HP-UX
1834465 Members
3250 Online
110067 Solutions
New Discussion

Re: 90 day password - how?

 
SOLVED
Go to solution
YA Unix Admin
Advisor

‎10-06-2008 09:14 AM

‎10-06-2008 09:14 AM

90 day password - how?

Is there a system wide setting or settings that will make a password valid for 90 days only and not allow login after 90 days?

is it possible to do on a NOT trusted system [11.00 and 11.11]
or does it have to be trusted?

What would the settings be?

I will now RTFM .. but somebody may have this info cached and be willing to share :)
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎10-06-2008 09:35 AM

‎10-06-2008 09:35 AM

Re: 90 day password - how?

Shalom,

You set it in /etc/default/security

There is a man page on it.

You can set the default to 90 day 60 days, anything you want.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
YA Unix Admin
Advisor

‎10-06-2008 09:57 AM

‎10-06-2008 09:57 AM

Re: 90 day password - how?

Cool ... if I make a file /etc/default/security with

PASSWORD_MAXDAYS=90

when does it start counting?
0 Kudos
Reply
YA Unix Admin
Advisor

‎10-06-2008 10:01 AM

‎10-06-2008 10:01 AM

Re: 90 day password - how?

or ... stated differently .. how do I test this?
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-06-2008 10:27 AM

‎10-06-2008 10:27 AM

Solution

Re: 90 day password - how?

There is a big difference between password lifetime and password expiration (when the password must be changed). Password lifetime is *ONLY* available on Trusted systems. On standard (non-Trusted) systems, there are only two numbers: password expiration (in weeks) and minimum time before changing the password.

The friendly man page for /etc/default/security is: security but because it covers 3 different authentication methods (standard, Trusted and Shadow), it can be tricky to read. And unfortunately, there is no verification that a particular setting works except to test it. Also, between 11.00 and 11.11, there are a large number of changes based on security patches for things like PAM and passwd, etc. 11.00 started with almost nothing active in the security file (which must be created by hand) and 11.11 also has security patches to enhance the security file options.

Now you can verify the setting using modprpw, getprpw, getprdef and modprdef, both found in the 'backend' directory where undocumented processes are stored. You may not even have a man page for modprpw in your older 11.00 systems, but you can use the 11.11 man page or read it from the ITRC:

http://docs.hp.com/en/B2355-90691/modprpw.1M.html

modprpw is used to modify settings for a specific user while modprdef is used to set the system defaults. Security defaults apply to settings for users where a particular value is -1 (-1 means not set, 0 means infinite). The -m option (and the options) are the same for all 4 commands. To see the system default lifetime for all passwords, use:

/usr/lbin/getprdef -m lftm

(on a non-trusted system, it reports that the system is non-Trusted) To make the default lifetime for all user logins = 90 days, use:

/usr/lbin/modprdef -m lftm=90

NOW WAIT BEFORE YOU TYPE THIS COMMAND! Do you want Oracle or Sybase or Websphere or Informics or other very important user IDs to stop working after 90 days? (I don't think so) Go through your entire passwd file and identify all accounts that must not terminate. Then set those accounts to infinite like this:

/usr/lbin/modprw -m lftm=0 root

(you don't want to expire!) Remember that an expired account will not allow a login even if the password is correct.


Bill Hassell, sysadmin
Reply
YA Unix Admin
Advisor

‎10-07-2008 11:50 AM

‎10-07-2008 11:50 AM

Re: 90 day password - how?

HPUX#++#/usr/lbin/getprdef -m lftm
System is not trusted.

Yes I realize the whole EVERY user will expire dilemma .. but just so I am clear .. you CAN make it so that after 90 days if userA did nothing they will not be able to login anymore. Which is "password lifetime", correct?

I have to so this across linux/aix/hpux and my head is spinning.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-07-2008 02:36 PM

‎10-07-2008 02:36 PM

Re: 90 day password - how?

> HPUX#++#/usr/lbin/getprdef -m lftm
> System is not trusted.

Oops, nothing you can do about the untrusted systems except to code your own daily checker. When it's time to disable the account, run the passwd -l command to disable (lock) the userID. The commands modprpw/getprpw, etc are only functional in a Trusted system.

> Yes I realize the whole EVERY user will expire dilemma .. but just so I am clear .. you CAN make it so that after 90 days if userA did nothing they will not be able to login anymore. Which is "password lifetime", correct?

Correct. The lifetime is essentially a userID lifetime. Once the lifetime is reached, the userID is locked automatically and the user cannot login even with the right password.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.