Operating System - HP-UX
1827458 Members
5795 Online
109965 Solutions
New Discussion

Old version - reset / re-enable passwords

 
Dirk Moolman
Frequent Advisor

Old version - reset / re-enable passwords

Hi, I am a Solaris administrator, and was asked to also administer an HP server a couple of days ago. Version:
HP-UX mimed B.10.20 U 9000/800 143460532 unlimited-user

My problem. some of the users' passwords have expired, and I cannot find a way on Google to re-enable them. I did a man on passwd, but on this version there are not many options to choose from.

Any tips would be greatly appreciated.

Dirk
6 REPLIES 6
Fabian Briseño
Esteemed Contributor

Re: Old version - reset / re-enable passwords

hi Dirk, do you have access to SAM, if you do you could do it there, just type SAM on your command prompt. and there you will find a users and groups options, once your there just select the user you want and go to the actions menu, (you select a user by using your space bar). from the actions menu choose activate and your done

Knowledge is power.
Patrick Wallek
Honored Contributor

Re: Old version - reset / re-enable passwords

If this system is trusted, check by looking for the /tcb directory structure, then you can do:

# /usr/lbin/modprpw -k

to enable users.

You can also do this through SAM

# sam

Go to 'Accounts for Users and Group' then 'Users'

You will now see a list of users. Scroll down, with arrow keys, to the user you need to modify, highlight it by pressing the space bar. Then press the TAB key to activate the top menu, go over to Actions and under the Actions menu go down to REACTIVATE.

That will reactivate the user.

If you need to change their password, make sure the user is still highlighted, go back to ACTIONS and to down to MODIFY USERS PASSWORD or RESET USERS PASSWORD.

Good luck in the HP-UX world.
A. Clay Stephenson
Acclaimed Contributor

Re: Old version - reset / re-enable passwords

This depends greatly upon whether or not this is a trusted system (HP-UX's kinda, sorta shadowed password equivalent). If you have a populated /tcb directory then you have a trusted system and in that case you would execute "/usr/lbin/modprpw -k user" to unlock the account. If it is a trusted system then you know you are not running NIS so you don't have to worry about that. In a non-trusted system, you would need to update the password aging subfield of the passwd hash field to make if appear as though the passwd had just be updated. Man 4 passwd should tell you what needs doing but the exact script requirements will depend upon whether or not you are running NIS.

You could also choose to execute passwd -f user to expire each account so that a new password would be required.
If it ain't broke, I can fix that.
Dirk Moolman
Frequent Advisor

Re: Old version - reset / re-enable passwords

Thank you very much. I will try this as soon as I run into the next disabled account. I played a little with SAM, and in resetting the password, had to choose a new one, and could not test the re-enabling of this account.

I also do not have many file in /tcb - only 1 directory, with another directory underneath it.

I will try the modprpw command next time. I basically just need to re-enable the account, with it's previous password for now.

Thanks again
A. Clay Stephenson
Acclaimed Contributor

Re: Old version - reset / re-enable passwords

Since you have a /tcb directory, you indeed do have a Trusted system so the modprpw -k user command will work but it would be tedious in the extreme to not script this and I wouldn't dream of using a wimpy solution like sam.

What we whould do is loop through all the logins and use "getprpw -m lockout user" to extract the lockout value. This is a 7 character pseudo-tcb-field with a '0' (unlocked) or a '1' (locked) and the position of each digit is significant.

1 - past password lifetime
2 - past last login time
3 - past absolute account lifetime
4 - too many failed attempts
5 - null password found
6 - locked by admin
7 - password is a *

What you should do is first see if there is a "1" in any of the 1st 4 positions AND also that positions 5-7 are "0" -- this would indicate that the account is locked but not for any administrative reason. If it passes both those tests then we should call modprpw -k user to unlock the account.


This should be very close:

#!/usr/bin/sh

typeset U=""
typeset -i STAT=0

logins | awk '{print $1}' | while read U
do
typeset LCK=""
echo "User: ${U} \c"
LCK=$(/usr/lbin/getprpw -m lockout ${U} 2>/dev/null)
STAT=${?}
if [ ${STAT} -eq 0 ]
then
typeset X1=""
typeset X2=""
echo "${LCK} \c"
X1=$(echo "${LCK}" | cut -c 9-12)
if [ "${X1}" != "0000" ]
then # found a 1 in 1-4
X2=$(echo "${LCK}" | cut -c 13-)
if [ "${X2}" = "000" ]
then # 5-7 all 0
echo "Yes \c"
# /usr/lbin/modprpw -k ${U}
STAT=${?}
fi
fi
fi
echo
done
exit ${STAT}
---------------------------------

Note that I have the modprpw -k command commented out. I would run it like this until you are satisfied and then comment the 'echo "Yes \c"' and uncomment the modprpw.

If it ain't broke, I can fix that.
Dirk Moolman
Frequent Advisor

Re: Old version - reset / re-enable passwords

Excellent, thank you very much - I do appreciate this