HPE Community
Operating System - HP-UX
1834167 Members
2754 Online
110064 Solutions
New Discussion

How to Force Password Aging

 
SOLVED
Go to solution
zap_2
Advisor

‎08-14-2005 09:26 PM

‎08-14-2005 09:26 PM

How to Force Password Aging

Hi Unix Gurus,
My system is non trusted system.
How to force password aging min 4 weeks and maximum 12 weeks for all user that reside on /etc/passwd file and how to change back to no restriction again?
What are strength and weakness between trusted and non trusted system?
0 Kudos
Reply
6 REPLIES 6
saju_2
Respected Contributor

‎08-14-2005 09:52 PM

‎08-14-2005 09:52 PM

Re: How to Force Password Aging

Hi

Pls refer the below link.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=946795

and for trusted systems information pls refer

http://docs.hp.com/en/B2355-90121/

regrads
CS
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎08-14-2005 09:53 PM

‎08-14-2005 09:53 PM

Re: How to Force Password Aging

You cannot enable password ageing without trusted system, however there is no disadvantage to not running a system in trusted mode. However it is advisable to test it on a test box first in case you have any "strange" software or scripts that rely on passwords being stored in /etc/passwd.

Use tsconvert to enable trusted mode, then either use SAM or modprpw/modprdef to set specifics.

You can roll back with "tconvert -r".
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎08-14-2005 10:06 PM

‎08-14-2005 10:06 PM

Re: How to Force Password Aging

hi,

>>"What are strength and weakness between trusted and non trusted system?"

see: http://www.faqs.org/faqs/hp/hpux-faq/section-68.html

and the ebook on "Administering Your HP-UX Trusted System"

http://docs.hp.com/en/B2355-90121/B2355-90121.pdf

hope this helps too!

regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Cem Tugrul
Esteemed Contributor

‎08-14-2005 10:36 PM

‎08-14-2005 10:36 PM

Re: How to Force Password Aging

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=854273

Good luck,
Our greatest duty in this life is to help others. And please, if you can't
Reply
Bill Hassell
Honored Contributor

‎08-15-2005 12:16 AM

‎08-15-2005 12:16 AM

Solution

Re: How to Force Password Aging

A couple of notes about aging:

- Non-trusted systems can have password aging. See both man pages for passwd:

man 1 passwd
man 4 passwd

For a non-trusted system, there are 2 to 4 characters following an optional comma in the encrypted password field. You can set these with SAM (always) or use the passwd command itself (unless you are using an obsolete version of HP-UX).

Note that tsconvert will indeed convert a system between Trusted and non-Trusted, but you should be aware that tsconvert is an undocumented, back-end (or support) command designed only for use with SAM. If you convert to a Trusted system, all passwords are immediately expired and every user must choose a new password before they can login. You can fix this with another backend command: modprpw. In the case for both commands (tsconvert and modprpw), they are found in a special directory: /usr/lbin

Although modprpw and getprpw now have man pages (unless you have an old system), they are still support commands and they may change options or even disappear at sometime in the future. SAM will convert your system cleanly. NOTE: Trusted systems allow much longer passwords, while standard systems allow only 8 significant characters. While you can type more, only the first 8 are used. That is not the case for Trusted so some passwords may seem to not work after conversion--just tell the user to type no more than the first 8 characters of the password.


Bill Hassell, sysadmin
Reply
Flavio Lacks
Frequent Advisor

‎08-16-2005 02:07 AM

‎08-16-2005 02:07 AM

Re: How to Force Password Aging

Two options on the passwd command enable password aging, -x define the maximum nunber of days a user may wait between password changes, and -n define the minimum number of days a user may retain a password before they are allowed to change.
# passwd -n 7 -x 70 user1

ok good look
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.