HPE Community
Operating System - HP-UX
1825583 Members
2262 Online
109682 Solutions
New Discussion

passwd -f xyz

 
Hanry Zhou
Super Advisor

‎03-24-2004 05:35 AM

‎03-24-2004 05:35 AM

passwd -f xyz

When I issue the command as root, it will be expiring the password for user xyz, and xyz has to enter the old password first, and then he will be forced to enter the new passwd.

My question is how the system handle the log in process, what is the mechanism. I assume the system will invoke /usr/bin/passwd when the user log in, and use the command to change the password. But I did a little test, it seems the system did not invoke /usr/bin/passwd

Any idea?

none
0 Kudos
Reply
10 REPLIES 10
Jeff Schussele
Honored Contributor

‎03-24-2004 05:39 AM

‎03-24-2004 05:39 AM

Re: passwd -f xyz

Hi Hanry,

Did you check for /sbin/passwd?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2004 05:50 AM

‎03-24-2004 05:50 AM

Re: passwd -f xyz

Older versions of login, invoked passwd or yppasswd (in the case of NIS managed passowrds) as a separate child process and then continued with the login but newer versions of login do all of this with libpam (PAM - Pluggable Authentication Module) functions within the parent process itself --which are the same ones the the passwd command itself uses.
If it ain't broke, I can fix that.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2004 05:53 AM

‎03-24-2004 05:53 AM

Re: passwd -f xyz

I should add do a man 3 pam for more details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎03-24-2004 06:05 AM

‎03-24-2004 06:05 AM

Re: passwd -f xyz

yes, I did check /sbin/passwd. No, this is not the one the system will be invoking.

none
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎03-24-2004 06:09 AM

‎03-24-2004 06:09 AM

Re: passwd -f xyz

A.Clay,

I don't quite understand you, but it seems that the system doen't invoke /usr/bin/passwd, it uses its own way to force the user to change his password.

I don't want to change "passwd" itself, I have our own passwd, and it supposely handle security issues better. So I want to replace the mechanism with our own passwd. I have to understand the HPUX mechanism first before I can replace it.



none
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2004 06:16 AM

‎03-24-2004 06:16 AM

Re: passwd -f xyz

Well, in that case, you have essentially two options:

1) Use the standard login program supplied with HP-UX and write a set of custom PAM functions.

2) Use a custom login program in place of the standard.
If it ain't broke, I can fix that.
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎03-24-2004 06:25 AM

‎03-24-2004 06:25 AM

Re: passwd -f xyz

Clay,

I don't know much about login process, and pam, any recommendation on docs?
none
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2004 06:32 AM

‎03-24-2004 06:32 AM

Re: passwd -f xyz

My best advice for you is to convert to a trusted system and let it enforce the rules for you. Writing custom login functions/programs is not a novice undertaking.
If it ain't broke, I can fix that.
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎03-24-2004 06:37 AM

‎03-24-2004 06:37 AM

Re: passwd -f xyz

Clay,

We want to implement npasswd, a tool is to handle for instance, the guesseable password, the trusted-system won't do that for us.

HOw do I write my own pam functions?
none
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-24-2004 06:59 AM

‎03-24-2004 06:59 AM

Re: passwd -f xyz

Well, the place to start is the same one I used my first time through this: man 3 pam and man 4 pam.conf and pay attention to the SEE ALSO sections. You can also go to docs.hp.com and enter "PAM" as a search string. I'm sure you can find tons of references.

Whenever you are changing login/passwd routines make absolutely certain that you are logged in as root in at least two sessions. That way you can get yourself out of trouble almost as fast as you got yourself in.

Let me suggest a Plan C: Find a 10.20 version of login and use it. It does invoke passwd/yppasswd and if you rename your npasswd program to /usr/bin/passwd then you should be good to go.
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.