HPE Community
Operating System - HP-UX
1834619 Members
2871 Online
110069 Solutions
New Discussion

Re: Password aging and ShadowPassword

 
SOLVED
Go to solution
CanWest Team
Occasional Contributor

‎01-13-2005 09:12 AM

‎01-13-2005 09:12 AM

Password aging and ShadowPassword

I know that the ShadowPassword fileset includes support for the system-wide password aging configuration parameters PASSWORD_MINDAYS and PASSWORD_MAXDAYS in /etc/default/security. I am interested in obtaining these features but (a) do not want to install HP-UX 11i v2 at this time and (b) do not want to enable shadow passwords at this time (i.e. with the pwconv command). Is installing the fileset sufficient for this or do I have to run pwconv to enable this feature?
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎01-13-2005 02:21 PM

‎01-13-2005 02:21 PM

Re: Password aging and ShadowPassword

passwd command


-n min
-x max


passwd -n 7 -x 60 username

that sets the password for sixty day maximum and 7 day minimum

To set it for all users you need to write a little script.

cp /etc/passwd /root
cd /root
while read -r pass
do
username-$(echo $pass | awk -F: '{print $1}')
passwd -n 7 -x 60 $username
done < passwd

rm -f /root/passwd

Run it as root.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Nguyen Anh Tien
Honored Contributor

‎01-13-2005 05:12 PM

‎01-13-2005 05:12 PM

Re: Password aging and ShadowPassword

Right.
You can get more by
#man passwd
....
-n min Determine the minimum number of days, min, that must
transpire before the user can change the password.


-x max Determine the maximum number of days, max, a password
can remain unchanged. The user must enter another
password after that number of days has transpired,
known as the password expiration time.
...

EXAMPLE
Force user2 to establish a new password on the next login which will
expire in 70 days and prohibit the user from changing the password
until 7 days have transpired:

passwd -r files -f -x 70 -n 7 user2
HP is simple
0 Kudos
Reply
CanWest Team
Occasional Contributor

‎01-14-2005 01:48 AM

‎01-14-2005 01:48 AM

Re: Password aging and ShadowPassword

Thanks, I was actually aware of the passwd options but was hoping to take advantage of the new simple, centralized, system-wide way of configuring aging parameters using the /etc/default/security file rather than inserting yet another custom-made script.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-14-2005 07:53 AM

‎01-14-2005 07:53 AM

Re: Password aging and ShadowPassword

The system-wide values (/etc/security) are for the generation of new passwords, not to change the current settings on existing passwords. However, if the system is not Trusted and does not have Shadow Password product installed, you are limited to the classic 4 character password aging codes. The first character indicates the number of weeks when a password expires and the second character indicates the number of weeks that must elapse before a password can be changed. The last 2 digits are the number of weeks since 1970 when the password was last changed. So PASSWORD_MIN/MAX settings will set the first 2 chars at the next password change but not any current passwords.


Bill Hassell, sysadmin
0 Kudos
Reply
CanWest Team
Occasional Contributor

‎01-14-2005 08:16 AM

‎01-14-2005 08:16 AM

Re: Password aging and ShadowPassword

Okay, so I have to update existing users but new ones will adopt the settings in /etc/default/security. You say "if the system is not Trusted and does not have Shadow Password product installed"...what if Shadow Password is installed but I have not run the pwconv commmand?
0 Kudos
Reply
Ron Luman_1
Occasional Advisor

‎01-19-2005 05:37 AM

‎01-19-2005 05:37 AM

Solution

Re: Password aging and ShadowPassword

Hi,

Installing the ShadowPassword fileset should be sufficient, as it provides an enhanced libpam_unix that is aware of the /etc/default/security PASSWORD_* policies. That said, there are a couple of caveats:

1) Only PASSWORD_MINDAYS and PASSWORD_MAXDAYS are used when not in shadow mode as the password file has no place for the WARNDAYS

2) As others have noted, these values only take effect when changing a password that does not have existing aging policies

3) Again, due to the limitations in how the information is stored in the passwd file, the values (specified in days) are rounded to weeks.

Cheers,

--Ron
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.