Operating System - HP-UX
1823788 Members
4369 Online
109665 Solutions
New Discussion юеВ

Password Expiration Warning

 
SOLVED
Go to solution
Belinda Dermody
Super Advisor

Password Expiration Warning

Is there someway you can change the display to let the user know that his password is about to expire. I have HP-UX 11.11 running and the users never see the message that shows up during their login.. There is no hesitation till it goes throught the login procedure and clears the screen..
They only know when the account gets disable. I have it set for 7 days warning..


HP-UX tahoe B.11.11 U 9000/800 (tnb)

login: taccount
Password:
Last successful login for taccount: Mon Oct 17 14:26:02 EST5EDT 2005 on pts/tnb
Last unsuccessful login for taccount: NEVER
Your password will expire on Wed Oct 19 14:24:46 EST5EDT 2005
6 REPLIES 6
Ranjith_5
Honored Contributor

Re: Password Expiration Warning

Hi James,

Assuming your system is trusted, you can add the following string to a file called /etc/default/security to set password expiry warning.

PASSWORD_WARNDAYS=7



The other security settings are

PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=restricted group
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=1
UMASK=077
PASSWORD_MAXDAYS=30
PASSWORD_MINDAYS=5


see #man security for a complete information.

Regards,
Syam
Belinda Dermody
Super Advisor

Re: Password Expiration Warning

The warning already shows on the screen, but with all the extra stuff that shows up during the login inprocess it just goes off the screen and the user never sees the warning. I have attached a capture login screen for an example, as you can see the warning is at the beginning and it just looks like part of the login screen. I was hoping there was something that I could add after it to give it a sleep or a key response require to continue..
john kingsley
Honored Contributor

Re: Password Expiration Warning

The copyright information is invoked in by the line "cat /etc/copyright" in /etc/profile.
john kingsley
Honored Contributor

Re: Password Expiration Warning

You can edit /etc/profile and add

sleep 10

Before "cat /etc/copyright". This will cause the login to pause for 10 seconds before printing the copyright message.
Ranjith_5
Honored Contributor

Re: Password Expiration Warning

Hi James,

If you dont want the copyright and security warning to be displayed during login then hash out the following lines in /etc/profile.

# This is to meet legal requirements...

cat /etc/copyright

# Message of the day

if [ -r /etc/motd ]
then
cat /etc/motd
fi

======================================================

Other option is to take a backup of /etc/copyright and /etc/motd and nullify both files.


#mv /etc/copyright /etc/copyright.orig
#>/etc/copyright

#mv /etc/motd /etc/motd.orig
#>/etc/motd


Hope this helps.
Syam
Bill Hassell
Honored Contributor
Solution

Re: Password Expiration Warning

Both the copyright and legal notice are obscuring important information during login. The copyright notice in /etc/profile can be changed to:

echo "To read copyright notice, cat /etc/copyright"

This meets the requirement (like textbooks and other printed documents) that a copyright exists and the mechanism to read this information has been specified.

The second notice may be in /etc/motd. Before deleting it or changing it, check with your legal department. Many times, such notices can be put into /etc/issue rather then after login in /etc/profile. /etc/issue will be displayed *before* login. Technically, the /etc/issue you have is a bit of a security risk (shows OS and revision).

And the screen clear may be part of a logout security package to automatically remove the screen contents after logout. Now you have conflicting requirements: don't clear the screen so users can see the disabled message, or keep the clear-screen and users have to call the help desk. There is no way to pause the login process once the account is disabled.

As far as keeping the legal message and still show something attention-getting in /etc/profile, you'll need to write a small SUID program to call /usr/lbin/getprpw and pull the information about the expiration date, then display a warning if less than 7 days.



Bill Hassell, sysadmin