HPE Community
Operating System - HP-UX
1833767 Members
2152 Online
110063 Solutions
New Discussion

Disable users changing their password

 
Mark Daintree
Occasional Advisor

‎05-21-2001 03:51 AM

‎05-21-2001 03:51 AM

Disable users changing their password

I want to set up a user that does not
have the ability to change their own
password. I have tried this via sam
with the 'Allow only Super-User to
change password'. This only expires it
and once changed reverts back to
the 'Normal Behaviour' option.
P.S. I'm on HP-UX 11.

0 Kudos
Reply
9 REPLIES 9
Alexander M. Ermes
Honored Contributor

‎05-21-2001 04:39 AM

‎05-21-2001 04:39 AM

Re: Disable users changing their password

Hi there.
In the SAM / Users&groups / users / modify user
there is a dropdown menu 'modify password options' for password behaviour. There you will find the option
'Password change only by superuser'.
Rgds
Alexander M. Ermes
.. and all these memories are going to vanish like tears in the rain! final words from Rutger Hauer in "Blade Runner"
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎05-21-2001 04:49 AM

‎05-21-2001 04:49 AM

Re: Disable users changing their password

On a trusted system use the command;

modprpw -m mintim=

If you set it to say 52 weeks they wont be allowed to change their passwords for a year, then you can simply reset it to another year...
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Mark Daintree
Occasional Advisor

‎05-21-2001 04:49 AM

‎05-21-2001 04:49 AM

Re: Disable users changing their password

Thanks but as I originally stated this has the effect of 'password expired' when the user next connects.

Is there a way to control the passwd file?
0 Kudos
Reply
Brian Hackley
Honored Contributor

‎05-21-2001 04:52 AM

‎05-21-2001 04:52 AM

Re: Disable users changing their password

Alister,
One thing I tought of would be for your
to create a wrapper script around the passwd binary (/bin/passwd, /usr/bin/passwd), which would check against the user (e.g. $LOGNAME). If the user matches, set exit status appropriatly. If the user is not a match (e.g permitted), then call /usr/bin/passwd.real to change the user password. I have not tried this but this is just a thought that sprang to mind. Example hack lies below.
Regards,
-> Brian Hackley

#!/sbin/sh
# set -x
# Remember permissions and owner for this wrapper must match the original file.
# Copyright 2001 Hewlett-Packard Co.

if [ $LOGNAME = "charlie ]
then
exit -1
else
/usr/bin/passwd.real $*
exit $?
fi
# End of wrapper
Ask me about telecommuting!
0 Kudos
Reply
Mark Daintree
Occasional Advisor

‎05-21-2001 05:59 AM

‎05-21-2001 05:59 AM

Re: Disable users changing their password

I'm not on a trusted system. I did try
passwd -n 441 username
but when I tried to reconnect as the use the password was expired.
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎05-21-2001 07:36 AM

‎05-21-2001 07:36 AM

Re: Disable users changing their password


The sort of functionality you want you really need to be running a trusted system. If not, then you will need a wrapper script as Brian suggested earlier.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
KapilRaj
Honored Contributor

‎05-22-2001 03:39 AM

‎05-22-2001 03:39 AM

Re: Disable users changing their password

hi ,

i hv a solution for u. Keep in mind that this solution prevents all the users except superusers from changing their / other's password.

#cp /usr/bin/passwd /usr/bin/passwd.backup

( Backing up old passwd command for safety)

#chmod u-s /usr/bin/passwd

(Removes SUID so that only super user can modify /etc/passwd so their passwords)

Hope this helps you.......

Kaps
Nothing is impossible
0 Kudos
Reply
Bruce Regittko_1
Esteemed Contributor

‎05-22-2001 11:50 AM

‎05-22-2001 11:50 AM

Re: Disable users changing their password

Hi,

I believe that if you set password aging on the account so that the minimum time is greater than the maximum time, then the user will not be able to change their password:

passwd -x 0 -n 7 forgetful

should do the trick for user "forgetful". See the passwd(1) man page for more information.

--Bruce

--Bruce
www.stratech.com/training
0 Kudos
Reply
Mark Daintree
Occasional Advisor

‎05-22-2001 11:30 PM

‎05-22-2001 11:30 PM

Re: Disable users changing their password

I tried the passwd -x 0 -n 1 option which had the effect of expiring the password for the user again.


Within sam I set these values to 62 and 63 respectively which means the password will expire after 62 weeks but cannot be changed.
Using sam did not have the effect to expire my password. Very odd.

This looks to be the best workaround. It means every 62 weeks I must remember to change the password.

Thanks for the contribution guys.


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.