HPE Community
Operating System - HP-UX
1823788 Members
4369 Online
109665 Solutions
New Discussion юеВ

Password Expiration Warning

 
SOLVED
Go to solution
Belinda Dermody
Super Advisor

тАО10-17-2005 06:36 AM

тАО10-17-2005 06:36 AM

Password Expiration Warning

Is there someway you can change the display to let the user know that his password is about to expire. I have HP-UX 11.11 running and the users never see the message that shows up during their login.. There is no hesitation till it goes throught the login procedure and clears the screen..
They only know when the account gets disable. I have it set for 7 days warning..


HP-UX tahoe B.11.11 U 9000/800 (tnb)

login: taccount
Password:
Last successful login for taccount: Mon Oct 17 14:26:02 EST5EDT 2005 on pts/tnb
Last unsuccessful login for taccount: NEVER
Your password will expire on Wed Oct 19 14:24:46 EST5EDT 2005
0 Kudos
Reply
6 REPLIES 6
Ranjith_5
Honored Contributor

тАО10-17-2005 06:55 AM

тАО10-17-2005 06:55 AM

Re: Password Expiration Warning

Hi James,

Assuming your system is trusted, you can add the following string to a file called /etc/default/security to set password expiry warning.

PASSWORD_WARNDAYS=7



The other security settings are

PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=restricted group
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=1
UMASK=077
PASSWORD_MAXDAYS=30
PASSWORD_MINDAYS=5


see #man security for a complete information.

Regards,
Syam
Reply
Belinda Dermody
Super Advisor

тАО10-17-2005 07:07 AM

тАО10-17-2005 07:07 AM

Re: Password Expiration Warning

The warning already shows on the screen, but with all the extra stuff that shows up during the login inprocess it just goes off the screen and the user never sees the warning. I have attached a capture login screen for an example, as you can see the warning is at the beginning and it just looks like part of the login screen. I was hoping there was something that I could add after it to give it a sleep or a key response require to continue..
0 Kudos
Reply
john kingsley
Honored Contributor

тАО10-17-2005 07:11 AM

тАО10-17-2005 07:11 AM

Re: Password Expiration Warning

The copyright information is invoked in by the line "cat /etc/copyright" in /etc/profile.
Reply
john kingsley
Honored Contributor

тАО10-17-2005 07:18 AM

тАО10-17-2005 07:18 AM

Re: Password Expiration Warning

You can edit /etc/profile and add

sleep 10

Before "cat /etc/copyright". This will cause the login to pause for 10 seconds before printing the copyright message.
Reply
Ranjith_5
Honored Contributor

тАО10-17-2005 07:18 AM

тАО10-17-2005 07:18 AM

Re: Password Expiration Warning

Hi James,

If you dont want the copyright and security warning to be displayed during login then hash out the following lines in /etc/profile.

# This is to meet legal requirements...

cat /etc/copyright

# Message of the day

if [ -r /etc/motd ]
then
cat /etc/motd
fi

======================================================

Other option is to take a backup of /etc/copyright and /etc/motd and nullify both files.


#mv /etc/copyright /etc/copyright.orig
#>/etc/copyright

#mv /etc/motd /etc/motd.orig
#>/etc/motd


Hope this helps.
Syam
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-17-2005 12:39 PM

тАО10-17-2005 12:39 PM

Solution

Re: Password Expiration Warning

Both the copyright and legal notice are obscuring important information during login. The copyright notice in /etc/profile can be changed to:

echo "To read copyright notice, cat /etc/copyright"

This meets the requirement (like textbooks and other printed documents) that a copyright exists and the mechanism to read this information has been specified.

The second notice may be in /etc/motd. Before deleting it or changing it, check with your legal department. Many times, such notices can be put into /etc/issue rather then after login in /etc/profile. /etc/issue will be displayed *before* login. Technically, the /etc/issue you have is a bit of a security risk (shows OS and revision).

And the screen clear may be part of a logout security package to automatically remove the screen contents after logout. Now you have conflicting requirements: don't clear the screen so users can see the disabled message, or keep the clear-screen and users have to call the help desk. There is no way to pause the login process once the account is disabled.

As far as keeping the legal message and still show something attention-getting in /etc/profile, you'll need to write a small SUID program to call /usr/lbin/getprpw and pull the information about the expiration date, then display a warning if less than 7 days.



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.