HPE Community
Operating System - HP-UX
1835243 Members
2115 Online
110078 Solutions
New Discussion

Re: password aging on non-trusted systems

 
SOLVED
Go to solution
Christopher Hildrum_1
Frequent Advisor

‎02-21-2003 07:51 AM

‎02-21-2003 07:51 AM

password aging on non-trusted systems

All -

I have read many of the forum responses on password aging/trusted systems, etc. I am running 11.00 and going to a trusted system is not looking possible right now. I have set passwd length, history, etc in the default file. I still have this question:

Can I set password aging on a non-trusted system with a paramter in the /etc/default/security file or can I set it default for every user that changes their password (minus root, etc.)? I can't seems to find a straightforward answer on how to do this without manually cahnging every user. I know I can do that easy - but what would happen when they change their password again?
0 Kudos
Reply
12 REPLIES 12
Pete Randall
Outstanding Contributor

‎02-21-2003 07:56 AM

‎02-21-2003 07:56 AM

Re: password aging on non-trusted systems

From man security:

"PASSWORD_HISTORY_DEPTH
This parameter controls the password history depth. A
new password is checked only against the number of most
recently used passwords stored in password history for
a particular user. A user is not allowed to re-use a
previously used password."


Your answer should be yes!


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-21-2003 07:58 AM

‎02-21-2003 07:58 AM

Re: password aging on non-trusted systems

Acutally, after re-reading your question - I'm not sure what you're asking. You've already set password history. That should do it. What's the question?

Pete

Pete
0 Kudos
Reply
Christopher Hildrum_1
Frequent Advisor

‎02-21-2003 08:01 AM

‎02-21-2003 08:01 AM

Re: password aging on non-trusted systems

Sorry if I confused you:

I want to set password aging to all users to 90 days without changing the server to a trusted system. So when they change their password after 90 days it continues with password aging again of 90 days.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎02-21-2003 08:03 AM

‎02-21-2003 08:03 AM

Solution

Re: password aging on non-trusted systems

ON non-trusted systems, you have to do each user individually (or script it which is not too difficult). Once someone with root permissions has set a maximum age and minimum number of weeks between passwd changes, the user is not allowed to modify those parts of the passwd field. The passwd command when invoked by a regular user does update the last time that the passwd was changed but the min and max subfields remain intact.
If it ain't broke, I can fix that.
Reply
Pete Randall
Outstanding Contributor

‎02-21-2003 08:05 AM

‎02-21-2003 08:05 AM

Re: password aging on non-trusted systems

for user in `cat /etc/passwd |cut -d : -f 1`
do
passwd -f $user
done


That should force them to initially change their password.

Pete

Pete
0 Kudos
Reply
Christopher Hildrum_1
Frequent Advisor

‎02-21-2003 08:05 AM

‎02-21-2003 08:05 AM

Re: password aging on non-trusted systems

Clay -

Excellent ! That is what I needed to know ! Is that documented anywhere ?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-21-2003 08:07 AM

‎02-21-2003 08:07 AM

Re: password aging on non-trusted systems

Make that

passwd -f -n 90 $user


Pete

Pete
0 Kudos
Reply
Christopher Hildrum_1
Frequent Advisor

‎02-21-2003 08:09 AM

‎02-21-2003 08:09 AM

Re: password aging on non-trusted systems

Pete :
for user in `cat /etc/passwd |cut -d : -f 1`
do
passwd -f $user
done

Thanks !
I will add the following line in the script:
"passwd -n 3 -w 7 -x 90"
To start the initial aging process.

Chris


0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-21-2003 08:13 AM

‎02-21-2003 08:13 AM

Re: password aging on non-trusted systems

Chris,

Yes, I like your "passwd -n 3 -w 7 -x 90" better.

Good luck,

Pete

Pete
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎02-21-2003 08:24 AM

‎02-21-2003 08:24 AM

Re: password aging on non-trusted systems

Hi,

SAM is a good option ti you. Execute SAM:
#sam

then go to the following options:
1. Accounts for Users and Groups
2. Users
3. Go at specific user, press to select it
4. Actions Menu
5. Modifi...
6. [ Modify Password Options... ]
7. Set Password Options to [ Enable Password Aging ]
8. Password Expiration Time (1-63 weeks): 6
Other options changes in this windows up to you.
9. [ OK ]

After this you note that this user in /ect/passwd file have added ",4." and any other char at end of encrypted password field.


Rgds.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎02-21-2003 08:29 AM

‎02-21-2003 08:29 AM

Re: password aging on non-trusted systems

Hi Christopher:

As always, the man pages offer a wealth of information beyond command syntax. In this case, the 'passwd(1)' and 'passwd(4)' pages have quite a good discussion.

Remember that you can find "pointers" to man pages by keyword. In this case:

# man -k passwd

Regards!

...JRF...
0 Kudos
Reply
Jason Moorhead_2
Frequent Advisor

‎02-10-2006 04:04 AM

‎02-10-2006 04:04 AM

Re: password aging on non-trusted systems

Using the command line to enable password aging on individual users is something I need to do as well, but I'm wondering a couple things.

1) If I run a script to enable on all users, what does this do to the users where aging is already active? Does it "reset" the expiration date, or just ignore it? My biggest fear is that all 1000 users will expire on the same day.

2) I'd rather not force any password changes. Does enabling password aging affect current passwords at all. Meaning, if my account currently has no aging, and I enable it, will my password still work?

Thanks!
Jason
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.