HPE Community
Operating System - HP-UX
1837984 Members
2895 Online
110124 Solutions
New Discussion

Re: days between password changes problem

 
SOLVED
Go to solution
Gord Moore
Frequent Advisor

‎09-14-2004 05:30 AM

‎09-14-2004 05:30 AM

days between password changes problem

Am I doing something wrong or is this a feature?

I recently changed the system-wide default for "Time between password changes (Days)" via SAM --> Auditing and Security --> System Security Policies --> Password Aging Policies, and set the number of days to 7, which should mean that a user cannot change passwords until 7 days have elapsed (to prevent quick changes to re-use the password). That sounds good and seems to work.

It seems to work too well. An account was deactivated due to password lifetime expiry. So in SAM I reactivated the account and the system generated a password. The user was able to log in using that password, but could not change it.

Password cannot be changed. Reason: minimum time between password changes.

I thought that if root changed the password, it should either request a new one immediately, or allow the user to change their own. How do I get password resets/account reactivations to ignore the "days between" rule?

This is on an HP-UX 11i system with Trusted passwords.

Thanks.

0 Kudos
Reply
4 REPLIES 4
RAC_1
Honored Contributor

‎09-14-2004 05:38 AM

‎09-14-2004 05:38 AM

Re: days between password changes problem

/usr/lbin/getprpw -m mintm user_name
/usr/lbin/getprpw -m spwchg user_name

The spwchg should be the date when you reactivated the account ans set the password for user. If not this is the problem. I think this is what trusted system gives.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sundar_7
Honored Contributor

‎09-14-2004 05:44 AM

‎09-14-2004 05:44 AM

Re: days between password changes problem

Gord,

Check the exptm and mintm settings for the user.

If the value for exptm is LESS than mintm then the user CANNOT change the password

# /usr/lbin/modprpw -m exptm=0,mintm=1

# su -

passwd
Password cannot be changed. Reason: minimum time between password changes.


user /usr/lbin/getprpm -m exptm,mintm to get the settings.

If needed set using /usr/lbin/modprpw command.

--Sundar.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-14-2004 12:52 PM

‎09-14-2004 12:52 PM

Solution

Re: days between password changes problem

Hi,

You are right. Even if root changes the password, the restriction will still be applied.

I do the following in such cases.

1. Ask if the user knows the password on the system. If so, simply run 'modprpw -k ' and the user should be able to login.

2. If the user doesn't know the password, there are two options
a. Ask for a HP system where user knows the password. Simply grab the encrypted string from /tcb/files/auth// file from that system and replace the existing encrypted string with it on the local system. Run "modprpw -k '.
b. If the user doesn't have a working account on any other HP system, then generate an encrypted password for yourself using /usr/lib/makekey program. It takes exactly 10 chars with first 8 being the password. The last two chars are to be random and are called salt. For ex., to set a password of "Bla123!" do

echo "Okay123!xy" |/usr/lib/makekey

Copy the encrypted string thus generated and put it in the users' tcb file and run 'modprpw -k '.

Note that editing the user tcb files is not a clean method. Ensure that no other SA is on the system doing account related stuff while you are editing the tcb files.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Gord Moore
Frequent Advisor

‎09-15-2004 03:18 AM

‎09-15-2004 03:18 AM

Re: days between password changes problem

Thanks Anil and Sundar.

I am going to copy Sri's answer into my tip book because it really answers the question that I cannot ignore the "days between" rule. It seems a kludge to have to edit the tcb files manually. Oh well.

Thanks all.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.