HPE Community
Operating System - HP-UX
1833883 Members
1693 Online
110063 Solutions
New Discussion

password management

 
Joseph Hoh
Frequent Advisor

‎12-16-2002 11:23 AM

‎12-16-2002 11:23 AM

password management

How can I control user passwords.
I would like to control password aging, password length, password content, etc. from one source. Any ideas?

My environment consists of the following:
1 SUN NIS master.
2 HP-UX NIS clients
2 SUN NIS clients
4 standalone HP-UX
1 standalone SUN
10 standalone Linux
0 Kudos
Reply
4 REPLIES 4
A. Clay Stephenson
Acclaimed Contributor

‎12-16-2002 11:56 AM

‎12-16-2002 11:56 AM

Re: password management

If you are using NIS (as opposed to NIS+) then the systems cannot be trusted so you are now forced to do it the more difficult way. The good news is that passwd aging is fully supported even with vanilla NIS but everything else is up to you. The good news is that there is a yppasswd(3N) function which communicates with the yppassdd daemon to update the NIS maps. You will have to code a replacement for the yppasswd command (rename the original something like yppasswd.orig and set its permissions to 000); in your version you can make the passwd rules as rigorous as you like. I typically rely upon the spell command. If spell says this is a word then it's a bad passwd. I typically strip numeric and punctuation from the plaintext passwd before sending it to spell.

This process is not very difficult but it does require than you can do a bit of C. I have even added options to the replacement yppasswd command to allow options for CGI support so that users can change their passwords using an internal web page.
If it ain't broke, I can fix that.
0 Kudos
Reply
Joseph Hoh
Frequent Advisor

‎12-16-2002 12:11 PM

‎12-16-2002 12:11 PM

Re: password management

I do not believe password aging is supported with NIS. Especially with having a SUN server for the NIS master.

I do not know C so I am looking for a more out of the box method to use on all thre platforms.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎12-16-2002 12:25 PM

‎12-16-2002 12:25 PM

Re: password management

First, you need a common source for login information. A supported method to do this is with NIS+. An unsupported method is to use NIS, and some creativity. Problems you will have with NIS+ is that setup is much more difficult, and Linux support is a bit weak.

Because standard UNIX and Solaris expire passwords differently, this is difficult. First, you will have to do this manually, as Solaris will ignore any reference to expiration in an NIS passwd on the server. I have tackled this only 1 time but to your fortune I figured it out.

First, some basic facts. SunOS uses shadow to expire passwords and age them. The only information parsed from the shadow to NIS passwd map is the encrypted key. This brings up a huge problem.

Solution:
First, copy /etc/shadow to /etc/shadow.bak

Now, we need to parse the /etc/shadow to modify the passwd strings and expire them. This is most easily done by tailing the encrypted string with a ",". Comma then a null string mean expire now.

touch /etc/newshadow
cat /etc/shadow|awk -F: '{$1":"$2",:"$3":"$4":"$5":"$6":"$7":"$8":"}' >>/tmp/newshadow

Now, we can get our newly made shadow into place.
mv /tmp/newshadow /etc/shadow

Now, make your NIS maps
cd /var/yp
make

Now move your old shadow back to place
mv /etc/shadow.bak /etc/shadow

Whew, lots of work, but your done except for the biggest problem of all. You will have to schedule a cron job or build a script which handles this chore on whatever schedule you would like.

Standard UNIX supports password aging by placing some additional information after the comma in the encrypted string. SunOS does not support this.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Joanne Keegan
Regular Advisor

‎12-22-2002 05:26 PM

‎12-22-2002 05:26 PM

Re: password management

There are freeware programs available to provide greater control of passwords - if you can't make the system trusted. It might to worthwhile looking at Npasswd (search for it on the internet). There are alot of tools out there, and they can be used on different platforms.

Good Luck!

Jo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.