HPE Community
Operating System - HP-UX
1820203 Members
4164 Online
109620 Solutions
New Discussion юеВ

Password aging in NIS

 
SOLVED
Go to solution
MarkSyder
Honored Contributor

тАО03-02-2005 02:26 AM

тАО03-02-2005 02:26 AM

Password aging in NIS

Hi everybody.

I have been asked to set up password aging on our NIS system: minimum 1 day, maximum 60.

I've had a look at the manual pages and this seems easy to do on a stand-alone system using passwd, but there doesn't seem to be a similar facility for yppasswd.

The instructions I inherited tell me to insert 43 into the user's entry in the passwd file to set aging, but does this set the aging to what I want?

I also need to set the system to lock users out if they don't log in within the 60 day limit or after 6 unsuccessful password attempts.

Assistance will be rewarded with points.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
9 REPLIES 9
Pete Randall
Outstanding Contributor

тАО03-02-2005 02:30 AM

тАО03-02-2005 02:30 AM

Re: Password aging in NIS

Mark,

The passwd command will interact with your NIS system (see man passwd). From the EXAMPLES section:

"Modify the minimum time between password changes of user1 to 7 days in the nisplus repository:

passwd -r nisplus -n 7 user1"


Pete

Pete
0 Kudos
Reply
MarkSyder
Honored Contributor

тАО03-02-2005 02:38 AM

тАО03-02-2005 02:38 AM

Re: Password aging in NIS

passwd: illegal option -- r

Patching out of date? Or OS out of date (HP-UX 10.20)?

Mark

PS - thanks for the quick response!
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО03-02-2005 02:38 AM

тАО03-02-2005 02:38 AM

Re: Password aging in NIS

The simple answer is that you can not do this(er.. all of what you are looking to do). NIS supports standard passwd mapping.

Standard passwd will support basic aging. What is not supported is account locking for unsuccessfull login attempts.

If you read the man pages for passwd, you can easily find out how to set up the aging context in passwd. You do not necessarily need to insert anything into a passwd file, the passwd command run on the server will handle the edits for you.

If your requirements can be satisfied with only the aging aspect, you should have no problem.

Locks on attempts are not supported in an NIS environment, because the client does not report to the server. (there is no reporting built into NIS).

NIS maps are shared, so the client reads the hash from the passwd map, and compares that locally to a hash created at login attempts.

If you need the locking ability, you have to look at a completely different authentication system. There are only 2 common systems for authentication that support reporting. Those would be NIS+ and LDAP.

I have similar requirements to yours, and have opted to use LDAP (and have been for 9 months).

Hope this helps.
Sincerely,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО03-02-2005 02:39 AM

тАО03-02-2005 02:39 AM

Re: Password aging in NIS

You will need to run this command on the NIS master:

passwd -x 60 -n 1 user.

I would do a ypcat passwd | awk -F ':' '{if (($3 + 0) >= 101) print $1}' | while read USER
do
passwd -x 60 -n 1 ${USER}
done


Now for the bad news. Under NIS you can't really set min to 1 day or max to 60 days because the granularity is one week. Your 1 day will be rounded up to 1 week (beginning each Thursday because 1-Jan-1970 was a Thursday) and your 60 days will be rounded up to 9 weeks.


Unless you write a custom login (which is the way I've done it under NIS in the past -- along with a custom yppasswd) your needs to lock out users can't be done. The NIS maps don't carry that data.

You need to look at either NIS+ (which will work with Trusted systems) or LDAP. LDAP is the better choice because NIS+ is going away.
If it ain't broke, I can fix that.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО03-02-2005 02:42 AM

тАО03-02-2005 02:42 AM

Re: Password aging in NIS

I forgot to say that after you run the poasswd comand on the NIS master, you then need to:
cd /var/yp
make

That will update/push the NIS maps.
If it ain't broke, I can fix that.
0 Kudos
Reply
MarkSyder
Honored Contributor

тАО03-02-2005 02:45 AM

тАО03-02-2005 02:45 AM

Re: Password aging in NIS

On the NIS server:

passwd -n 1 -x 60 mark

where mark is a test user I set up so I could experiment before doing this to a "real" user.

Error message: mark not in local password file

But I know this - I want to amend mark in the NIS password file!

Mark
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
john kingsley
Honored Contributor

тАО03-02-2005 03:47 AM

тАО03-02-2005 03:47 AM

Solution

Re: Password aging in NIS

I've configured password aging by hand. You can do this by editing the passwd file on the NIS master. Password aging information is added to the password hash:

user1:--hash---,abCC:uid:gid:....etc

A comma separates the encrypted password from the password aging information. The first character after the comma sets the number of weeks for which the password is valid. The second character after the comma is used to set the minimum number of weeks which much pass before the password can be changed. The last two characters after the comma define the number of weeks since the password was last changed. The weeks are counted from the beginning of 1970. The only thing tricky is that this data is specified using Base-64. So, valid characters are:
. = 0
/ = 1
0-9 = 2-11
A-Z = 12-37
a-z = 38-63

To test this, create an account:
user1:--hash---,7/eQ:uid:gid:....etc

This will set passwd aging for user1 to:
max password life(7)=63 days (9 weeks)
min password life(/)=7 days (1 week)
and password was last changed (eQ) Feb-24-2005.
You can verify this by running:
logins -x -l user1

With HPUX, aging can only be specified by weeks. So, you can't set the min life to 1 day. You would have to specify 0-days (0-weeks) or 7 days (1-week).
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО03-02-2005 03:56 AM

тАО03-02-2005 03:56 AM

Re: Password aging in NIS

Typically /etc/passwd is used as the source file for the NIS passwd map. In your case, they are different. Depending on your OS version, you can use a passwd -F file option to identify the alternate passwd file and then do a ypmake to update/push the maps.
If it ain't broke, I can fix that.
0 Kudos
Reply
MarkSyder
Honored Contributor

тАО03-10-2005 11:26 PM

тАО03-10-2005 11:26 PM

Re: Password aging in NIS

Excellent solution John - thanks. And thanks to everyone else for their suggestions.

Mark
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.