HPE Community
Operating System - HP-UX
1837202 Members
3038 Online
110115 Solutions
New Discussion

Re: Password Aging

 
SOLVED
Go to solution
Jerry Gamblin
Occasional Contributor

‎08-06-2004 02:23 AM

‎08-06-2004 02:23 AM

Password Aging

What is the easiest way to implement a password ageing policy on an HPUX 11 box?
I would like to set up a password policy that says users must change their passwords every X number of days.

Thanks for all your help as I move from being a Windows Admin to a Unix Admin.
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎08-06-2004 02:34 AM

‎08-06-2004 02:34 AM

Solution

Re: Password Aging

There are a couple of ways.

One is to run some passwd commands on the user id right after its created setting its expiration and such. I'm attaching utility secript that does that. Pete Randall wrote the original, though I doubt he recognizes it.

You can use sam system security policies and set global policies for the system. root access is required for this.

There are other ways to do it as well.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Muthukumar_5
Honored Contributor

‎08-06-2004 03:18 AM

‎08-06-2004 03:18 AM

Re: Password Aging

You can use /etc/default/security file for this.

# Standard and Shadow modes only: number
# of days that passwords are valid
# PASSWORD_MAXDAYS=175
# PASSWORD_MINDAYS=14

Or we can do it with passwd command.

Change the password expiration date of user to 42 days in the files
repository:

passwd -r files -x 42 user

See passwd man page EXAMPLES part to know more.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Jerry Gamblin
Occasional Contributor

‎08-06-2004 03:22 AM

‎08-06-2004 03:22 AM

Re: Password Aging

Steve,

I was going to proceed with changing the password policy through SAM but I got an error about a turning it into a trusted database (see attached). Is it a bad idea to do this? Could this break something else on the machine or is this a suggested HP procedure.
0 Kudos
Reply
john kingsley
Honored Contributor

‎08-06-2004 03:31 AM

‎08-06-2004 03:31 AM

Re: Password Aging

This information can be set using the passwd command. Chech the man page for details.
----------------
If you are not using a shadow file, this information is addeded to the end of the password field:

user1:PPPPPPPPPPPPP,AMWW:uid:gid:user_name
Where:
A (1 character) - # of weeks for which a password is valid
M (1 character) - # min number of week which must pass before a user can change their password.
WW (2 character) - # of weeks since password was changed. Weeks are counted from the beginning of 1970.

There are 64 valid characters that are used in the password field. Each character is used to represent a digit. The valid characters are: â .â for 0, / for 1, A through Z, for 12 through 37, and a through z for 38 through 63.

So, for example:
user1:PPPPPPPPPPPPP,O/7Q:uid:gid:user_name
Password is valid 26 weeks.
Password can't be changed for 1 week.
Password was last changed 7/8/04

----------------
If you are using a shadow file, setting up password aging is much simpler:
user1:PPPPPPPPPPPPP,ddddd,m,xxx,ww:::

dddddd - # of days since password was changed. Weeks are counted from the beginning of 1970.

m - # min number of days which must pass before a user can change their password.

xxxx - # of days for which a password is valid
ww - # of days a user will receive warning messages prior to the password expiring.
---------------------

The command:

password -s -a

will show you the aging information set for your users:

user1 PS 07/08/04 7 1
Reply
Muthukumar_5
Honored Contributor

‎08-06-2004 03:35 AM

‎08-06-2004 03:35 AM

Re: Password Aging

Hai,

You are trying to change your system as Truseted one. I hope you have a knowledge on that.

It will make passwd file with * as passwd in every passwd. It will make your system as very secure.

If you put yes it will change your system to truseted one.

See more about the difference between them
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=638058

If you want to use your system as normal one with this requirement then use passwd command settings / /etc/default/security file settings

Muthu.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.