Need clarification for some output fo "passwd" command.

senthil_kumar_1 · ‎06-22-2009

Hi

I am using HP-UX 10.20, 11.00, and 11.11.

My outputs:

A)

A-1) root@lgapps:/root > passwd -s tanney
tanney PS 05/28/09 14 28

A-2) root@lgapps:/root > passwd -s ze4egi
ze4egi PS

Questions:

why there is difference between the output of A-1 and A-2.

A-1 is showing something like "05/28/09 14 28 ", pls explain about this.

Why A-2 is not displaying anything like A-1.

B)

B-1)root@lgapps:/root > date
Mon Jun 22 08:39:01 CDT 2009

B-2)root@lgapps:/root> passwd -l rtanney

B-3)root@lgapps:/root > passwd -s rtanney
rtanney LK 06/18/09 14 28

Questions:

Actually i locked the account "rtanney" on "Mon Jun 22 08:39:01 CDT 2009". but in B-3 it is showing like "06/18/09".

pls explain

Questions:

OldSchool · ‎06-22-2009

had you checked the man page, you would have found the following:

"-s name
Display some password attributes associated with the specified name. Superuser privilege and non-trusted mode is required if the files repository is specified. For nisplus, there are no restrictions.

The format of the display will be:

name status mm/dd/yy min max warn

or, if password aging information is not present

name status

where status PS=passworded; LK=locked; and NP=no password."

===========================================================

RE: A-1 and A-2:

ex. A-1 has been set up with password aging, while ex A-2 doesn't have the same. I believe the 5/28/09 date in A-1 is the date the password was last set or changed, while the "14" refers to the minimum #days that must elapse before the password can be changed, and the "28" refers to the maximum #days between changes.

RE: B-3
as above, the "date" refers to the date the password was last changed, not the date the account was locked. You might run "last rtanney" to verify the account was accessed on that date.

Depending (I believe) on OS level and patching, the password aging features may or may not be enabled, or at least not by using /etc/security file (10.20 / 11.0 might be an issue)

Sunny123_1 · ‎06-22-2009

Hi

With reference to man page

-s name = Display some password attributes associated with the
specified name.Superuser privilege and non-trusted mode is required if the files repository is specified.For nisplus, there are no restrictions.

And in B-3 it shows LK means it is lock.

Regards
Sunny

Pete Randall · ‎06-22-2009

You do have man pages on your systems, don't you? You might want to try reading them.

Pete

Pete

OldSchool · ‎06-22-2009

For your future reference, even if you don't have the man-pages installed, they are available here for 11iv1, v2 and v3:

http://docs.hp.com/en/hpuxman_pages.html

for 10.x and 11.0, see:

http://docs.hp.com/en/archive.html#HP-UX%20Reference%20%28Manpages%29

senthil_kumar_1 · ‎06-23-2009

Hi All,

How to set the aging policies for the users already created and new users.

OldSchool · ‎06-23-2009

"How to set the aging policies for the users already created and new users."

For users already created, consult the previously noted "man" page(s) for "passwd".

To have the system default those values for new users, you might consult the docs referenced your other thread about this same subject in the following thread:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1245802763210+28353475&threadId=1328224

in particular, see the links provided by S.E.P. in the above,

you really need to start:

1) reading responses
2) reading the "man" pages
3) if necessary, start taking notes

Md. Farhan A Azam · ‎06-24-2009

Hi Senthil,

How to set the aging policies for the users already created and new users.
>> In HP-UX 11.11 folow the below steps to configure aging.

sam -> Auditing & Security -> System Securities Policies (It will ask you to convert the system in trusted mode if not in trusted mode)-> Yes -> It will show you (Successfully converted to trusted mode. Press Ok to continue) ->Ok ->Password Aging Policies -> Here Enable the Policy and configure as per your requirement.

OR

You may configure in /etc/default/security file also.

#vi /etc/default/security

PASSWORD_MAXDAYS=
PASSWORD_MINDAYS=
PASSWORD_WARNDAYS=

Hope it will help you.

thnx...farhan

Ganesan R · ‎06-24-2009

Hi,

You can set account and password policies using /etc/default/security file.

read this.. or man security
http://docs.hp.com/en/B3921-60631/security.4.html

Another way, convert the system to trusted one. You can set many policies in trusted system.

Best wishes,

Ganesh.

Steven E. Protter · ‎06-24-2009

Shalom,

On a simple, most basic level for 11.11 and 11.23 password policy can be set for the system with sam. I'm sure sam's replacement will do the same thing in 11.31.

What that does is set policy in /etc/default/security . Using sam to learn how these settings work is a reasonable path to take.

If you want better output on your original question, try passwd -sa

That provides a slightly more detailed display. The variations you see are based on when the passwd command was written. It is reasonable to expect improvements with newer versions of HP-UX.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Suraj K Sankari · ‎06-24-2009

Hi,
>>How to set the aging policies for the users already created and new users.

see the example below
For new user
# useradd â o -u 101 \ # UID
-g users \ # primary group
-G class,training \ # secondary groups
-c â student userâ \ # comment field
â m â d /home/user1 \ # make a home directory for the user
â s /usr/bin/sh \ # default shell
-e 1/2/2006 \ # define an account expiration date
user1 # username

For existing user
usermod â e 1/2/2006 user1 # change the userâ s account expiration

Suraj

Suraj K Sankari · ‎06-24-2009

Hi Again,
I am posting again because of garbage character.

>>How to set the aging policies for the users already created and new users.

see the example below
For new user
# useradd -o -u 101 \ # UID
-g users \ # primary group
-G class,training \ # secondary groups
-c "student user" \ # comment field
-m -d /home/user1 \ # make a home directory for the user
-s /usr/bin/sh \ # default shell
-e 1/2/2006 \ # define an account expiration date
user1 # username

For existing user
usermod -e 1/2/2006 user1 # change the user1's account expiration

Suraj

Sunny123_1 · ‎06-24-2009

Hi

Lookout for /et/default/security file.

http://www.docs.hp.com/en/B2355-60103/security.4.html

Regards
Sunny

senthil_kumar_1 · ‎06-24-2009

Hi All,

Actually my server (HP-UX 11.00) is in standard mode.

But i am able to see some aging policies for some users and not for some users, is it possible.

Ex:

root@lgapps:/etc/default > passwd -s rtanney
rtanney LK 06/18/09 14 28

root@lgapps:/etc/default > passwd -s ze4egi
ze4egi PS

Pls explain me the difference.

Ganesan R · ‎06-24-2009

Hi Senthil,

The two letter comes just after user name says the status of the account, where possible status are
PS=passworded;
LK=locked; and
NP=no password.

Other parameter indicates the account/password aging details.

Best wishes,

Ganesh.

Sunny123_1 · ‎06-24-2009

Hi Senthil

The date is the date the password was last set or changed,the "14" refers to the minimum days that must elapse before the password can be changed, and the "28" refers to the maximum days between changes.

Regards
Sunny

Steven E. Protter · ‎06-24-2009

Shalom,

For 11.00 the passwd -sa program is less advanced, as you already know.

The /etc/default/security implementation is possible though maybe not with sam.

Try a man page on /etc/default/security if you need more details.

This should be something we can get done.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

senthil_kumar_1 · ‎06-24-2009

Hi All,

What am asking is that why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode (but not in trusted mode.).

Pls explain me.

Dennis Handly · ‎06-24-2009

>why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode

In standard mode, you can have password aging established. See passwd(4):
Password aging is put in effect for a particular user if his encrypted password in the password file is followed by a comma and a non-null string of characters ...

So what do the passwd entries look like for "rtanney" and ze4egi"?

Suraj K Sankari · ‎06-24-2009

Hi,

Please provide the output of below commands
#passwd -s -a tanney and
#passwd -s -a ze4egi

From the man page of passwd I got this

-s [-a] Display password attributes for all users in the password file. The -a option must be used in conjunction with the -s option when no name is specified. For nisplus, this will display entries in the NIS+ passwd table in the local domain. For files, this is restricted to superuser.

Suraj

OldSchool · ‎06-25-2009

"What am asking is that why it showing aging policies for "rtanney" and not for "ze4egi", since my system is in standard mode (but not in trusted mode.).

Pls explain me."

because, at least from 11.0 on up (and possibly even earlier versions), password aging doesn't require a trusted system.

Password history, and various construction requirements (min length, how many of what characters and so forth) required a patch at 11.0 if I remember correctly.

don't recall about 11vX and up. Shadow password might be required, or trusted system.

senthil_kumar_1 · ‎06-26-2009

Hi All,

I googled and got some information regarding password system.

1) standard password system:

It is a default system, Encrypted passwords are stored in "/etc/passwd".

2) Trusted password system:

Encrypted passwords are stored in "/tcb/files/auth".

on and before hpux 11.23 (11.v2)

To convert to trusted system:

# sam --> Auditing and Security ---> Convert to Trusted System ---> yes

3) Shadow password system:

Encrypted passwords are stored in /etc/shadow

From hpux 11.31.

To convert to shadow system.

# pwconv

My questions:

Are all above mentioned informations are correct?

Can we configure trusted system in HPUX 11.31?

What is the advantages and disadvantages between trusted system and shadow system.

Sunny123_1 · ‎06-26-2009

Hi

Yes you are correct for all 3 steps.You can also use command line to conert the system in trusted mode

To convert
# /usr/lbin/tsconvert
To unconvert
# /usr/lbin/tsconvert -r

Regards
Sunny

James R. Ferguson · ‎06-26-2009

Hi:

> Can we configure trusted system in HPUX 11.31?

You can, but why do that when 11.31 is stated to be the last release to support the TCB model !?!

Look at the "WARNINGS" section here:

http://docs.hp.com/en/B2355-60130/pwconv.1M.html

You would be far better off using the shadow password implementation and the new 11.31 security features:

http://docs.hp.com/en/5992-3387/index.html

Regards!

...JRF...

Steven E. Protter · ‎06-26-2009

Shalom,

Trusted system is orphaned technology. I personally really liked it and continue to use it on older systems.

Option three in your last post, Shadow password is more Linux like and a good option so that your current generation of systems is compatible with your next generation of systems.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Need clarification for some output fo "passwd" command.

Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.

Re: Need clarification for some output fo "passwd" command.