HPE Community
Operating System - HP-UX
1847158 Members
6050 Online
110263 Solutions
New Discussion

HP-UX Account is disabled upon password expiry

 
SOLVED
Go to solution
Wan Yue Gong
New Member

‎07-04-2004 02:07 PM

‎07-04-2004 02:07 PM

HP-UX Account is disabled upon password expiry

Hi all,

Can I check with you:

- how can I confirm that my HP-UX B.11.00 U 9000/800 has been converted to Trusted System?

My company has such a security policy:
- to force password change upon password reset by administrator
- to change password on the next 90th day upon password update
- to warn password expiry 5 days before the password expires
- not to allow password change initiated by user within 7 days once the password is updated by user
- disable id which is inactive for >90days

password aging policy has been set as such in SAM:
- Time between password changes (days): 7
- Password expiration time (days): 90
- Password expiration warning time (days): 5
- Password life time (days): 90

My questions are:
- is the above being set correctly in SAM according to the policy?
- users are complaining that they don't get password expiry warning message from system, why is this so?
- users also complained that ids are being locked by system after 90 days upon password change, even if the id is active, why is this so?

Appreciate your assistance. Thanks in advance!

wanyue
wanyue.gong@aig.com
0 Kudos
Reply
7 REPLIES 7
Michael Tully
Honored Contributor

‎07-04-2004 02:25 PM

‎07-04-2004 02:25 PM

Re: HP-UX Account is disabled upon password expiry

Running /usr/lbin/getprpw will tell you if your system is in trusted mode.

There are two sets up rules, one being system wide and those set in each users account. If they have not been changed at a user's level then the global rules would apply. Check the affected user accounts to see if anything has been set there.
Anyone for a Mutiny ?
0 Kudos
Reply
Wan Yue Gong
New Member

‎07-04-2004 02:35 PM

‎07-04-2004 02:35 PM

Re: HP-UX Account is disabled upon password expiry

Thanks Mike.

When I run the command /usr/lbin/getprpw -r , I get this reply:

# /usr/lbin/getprpw -r
110, NO, 288, 1, -1, -1, -1, -1, Mon Apr 5 09:52:50 2004
, Mon Apr 5 09:51:55 2004
, -1, 90, -1, DFT, DFT, DFT, DFT, -1, DFT, DFT, -1, Tue Jun 29 15:57:33 2004
, Mon Jul 5 08:23:56 2004
, pts/t1, 1, pts/tl, -1, NO, 1000000


- how do I interprete the lines above?
- password aging criteria is set as such for the user:

PS 040504 7 90 5
90 000000

- do you see anything wrong with it (as compared to the company policy outlined in my 1st question)?

Thanks...

wanyue
wanyue.gong@aig.com
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-04-2004 03:52 PM

‎07-04-2004 03:52 PM

Re: HP-UX Account is disabled upon password expiry

Hi Wanyue

You can use the following command to show what system wide defaults are in place:
# /usr/lbin/getprdef -p

The /usr/lbin/getprpw command shows settings for individual users.

To answer your last question, the getprpw output seems to suggest that the there is no expiry set for user as evidenced by the "-1" flag.
It appears that you have missed the actual variables in the output. Output should be in form:
# /usr/lbin/getprpw
uid=110, bootpw=NO, audid=31, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Sep 10 15:12:23 2003........

Cheers
Con
Reply
Wan Yue Gong
New Member

‎07-04-2004 04:12 PM

‎07-04-2004 04:12 PM

Re: HP-UX Account is disabled upon password expiry

Thanks Con.

If the global setting is updated, what will happen to the existing user accounts? Will the policy be changed accordingly?

If not possible, how can I apply a script to change the current user account settings to follow the global setting?

rgds,
wanyue
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-04-2004 04:33 PM

‎07-04-2004 04:33 PM

Solution

Re: HP-UX Account is disabled upon password expiry

Hi

Changing the global setting will not affect current users.

To change the current settings for a user you need to look at using the /usr/lbin/modprpw command or else SAM.

For example:
# /usr/lbin/modprpw -m exptm=90,expwarn=5,mintm=7

This will set password expiration at 90 days, minimum time between password changes to 7 days and warn users to change password 5 days prior to expiration.

Look at the man pages for modprpw which I have attached.
You need to be very careful using this from command line. Ensure that you don't expire users accounts when setting the 'exptm' value.

Cheers
Con
Reply
Fred.Wu
Frequent Advisor

‎07-04-2004 04:46 PM

‎07-04-2004 04:46 PM

Re: HP-UX Account is disabled upon password expiry

/usr/lbin/getprpw can see if trust system.
or, you can check if /tcb exist, if yes, it should be a trust system.

To disable trust, run
/etc/tsconvert -r
fred
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-04-2004 05:07 PM

‎07-04-2004 05:07 PM

Re: HP-UX Account is disabled upon password expiry

Hi again

After using the modprpw command in my previous post, you can use:
# /usr/lbin/modprpw -l -v

This will reset the users last password change to the curent day/time so that their account will not be expired if for example their last password change was > 90 days.

Cheers
Con
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.