HPE Community
Operating System - HP-UX
1833748 Members
2697 Online
110063 Solutions
New Discussion

HPUX Password Aging on Live and Failover system

 
reektan
New Member

‎01-12-2010 07:12 AM

‎01-12-2010 07:12 AM

HPUX Password Aging on Live and Failover system

Hi All,

Currently I have a scenario where we have a custom application running on HPUX 11.31 on one Live server. There is room to fail this server over should a hardware failure occur but the process is incredibly manual.

The main question I have is currently there is no password policy assigned so every night the /etc/passwd and /etc/group files are copied from the Live server to the standby. If I enable password ageing this would surely cause an issue if I opted to fail over to the standby as it would not be in sync with the current.

Is it possible to use the password aging via SAM or use shadow passwords and have the ability to copy the passwd and group files retaining the timings - so users who log into the standby server if it's brought into play still have the same amount of time left on their passwords before requiring a change.

Thanks in advance.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎01-12-2010 07:23 AM

‎01-12-2010 07:23 AM

Re: HPUX Password Aging on Live and Failover system

Shalom,

You might be better off copying the /etc/passwd and /etc/group files every day.

Enabling this policy may simply result in all users being expired when you G-d forbid, have to fail over.

For the sake of simplicity,and making sure the fail over system actually works, it might be better to enable password aging after fail over. The key thing to remember here is you want it to work if you need it. That is way more important than making sure every worker with three days left on their password has three days left in a DR scenario. There are too many things that can go wrong, and many other things that will probably require your time.

Another option would be using NIS or LDAP to maintain authentication of users on the second server. In a disaster, your secondary server should remain up to date.

In this last scenario, I'm presenting, your aging take place on the production master server, and the single sign on infrastructure takes care of updates. Of course your system must be live and available for NIS or LDAP to actaully work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
reektan
New Member

‎01-12-2010 07:35 AM

‎01-12-2010 07:35 AM

Re: HPUX Password Aging on Live and Failover system

Hi Steven,

Thanks for the reply - some very interesting notes there. The problem that I'm finding is if I enable password aging now. Will I see issues copying /etc/passwd ( which will have the password as an x instead of encyrpted? ) and /etc/group with people logging in on the failover. Does the password aging store the timings in a local database?

I've done a lot of reading on this but I'm coming up short. In some cases people say to use SAM to configure the system as trusted and in others they recommend using Shadow passwords with aging.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎01-12-2010 08:06 PM

‎01-12-2010 08:06 PM

Re: HPUX Password Aging on Live and Failover system

>if I enable password aging now, will I see issues copying /etc/passwd (which will have the password as an x instead of encrypted?)

You can have limited password aging with the default, without shadow or trusted.

>Does the password aging store the timings in a local database?

Yes, in /etc/passwd:
http://docs.hp.com/en/B2355-60130/passwd.4.html#d0e1054375
Password aging is put in effect for a particular user if his encrypted password in the password file is followed by a comma and a non-null string of characters from the above alphabet. ...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.