HPE Community
Operating System - HP-UX
1832927 Members
3267 Online
110048 Solutions
New Discussion

Password Settings in Trusted Mode

 
SOLVED
Go to solution
Marco Santerre
Honored Contributor

‎12-10-2003 06:43 AM

‎12-10-2003 06:43 AM

Password Settings in Trusted Mode

Other than going in SAM to get the different password settings (aging, etc) system-wide, is there a file that I can view, or a command that will show me all those settings in one shot, as opposed to checking the different screens in SAM?
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Reply
6 REPLIES 6
Jeff Schussele
Honored Contributor

‎12-10-2003 06:53 AM

‎12-10-2003 06:53 AM

Solution

Re: Password Settings in Trusted Mode

Hi Marco,

The file /tcb/files/auth/system/default will give the "global" settings common to all users. It should be noted that these values can be overriden by values in the individual user's tcb entry, however.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Hazem Mahmoud_3
Respected Contributor

‎12-10-2003 06:54 AM

‎12-10-2003 06:54 AM

Re: Password Settings in Trusted Mode

If it is a trusted system, just go inside the user's account info file. This is located at /tcb/files/auth/
-Hazem
Reply
Jeff Schussele
Honored Contributor

‎12-10-2003 06:58 AM

‎12-10-2003 06:58 AM

Re: Password Settings in Trusted Mode

And a command to get all the values would be:

/usr/lbin/getprpw user_name

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
RAC_1
Honored Contributor

‎12-10-2003 07:00 AM

‎12-10-2003 07:00 AM

Re: Password Settings in Trusted Mode

commands you need to look at--
getprdef
modprdef
getprpw
modprpw

getprpw - display user's protected password database
USAGE
/usr/lbin/getprpw [-r] [-m option[,option]] logonid
OPTIONS
-r raw display of the protected database field values
-m display the value of the option given. If -m is not specified,
all protected database fields will be displayed.
Boolean values are returned as YES, NO, or DFT (default).
A -1 value indicates that the field is undefined.
The following values will be displayed or can be selected
using the -m option:
uid logonid's uid
bootpw boot authorization flag
audid audit id

audflg audit flag

mintm minimum time allowed between password changes

exptm password expiration time

lftm password lifetime

acctexp account expiration time

spwchg time of last successful password change

upwchg time of last unsuccessful password change

llog maximum time allowed between logins

expwarn password expiration warning time

usrpick user allowed to pick passwords

nullpw null passwords allowed

maxpwln maximum password length allowed

rstrpw restricted passwords - checked for triviality

syspnpw system generates pronounceable passwords

admnum administrative number assigned

syschpw system generates character only passwords

sysltpw system generates letter only passwords

timeod time of day allowed for login

slogint time of last successful login

ulogint time of last unsuccessful login

sloginy terminal of last successful login

uloginy terminal of last unsuccessful login

culogin consecutive number of unsuccessful logins

umaxlntr maximum number of unsuccessful logins allowed

alock administrative lock

lockout bit string representing reason account is disabled

1 = true, 0 = false

bit 1 password lifetime exceeded

2 time between logins exceeded

3 account absolute lifetime exceeded

4 unsuccessful logon attempts exceeded

5 null password set but not allowed

6 administrative lock

7 password is "*"

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

3 protected database not found for user

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.

---------------------------------------------------------------------------

getprdef (1M) getprdef (1M)

NAME

getprdef - display default database

USAGE

/usr/lbin/getprdef -r [-m option],option] [-b] [-p] [-t]

OPTIONS

-r raw display of the protected database field values

-m display the value of the option given. If -m is not specified,

all protected database fields will be displayed.

-b display password defaults

-p display time defaults

-t display login defaults

Boolean values are returned as YES, NO, or DFT (default).

A value of -1 indicates that the field is undefined.

The following values will be displayed or can be selected

using the -m option:

bootpw boot authorization flag

mintm minimum time allowed between password changes

exptm password expiration time

lftm password lifetime

llog maximum time allowed between logins

expwarn password expiration warning time

usrpick user allowed to pick passwords

nullpw null passwords allowed

maxpwln maximum password length allowed

rstrpw restricted passwords - checked for triviality

syspnpw system generates pronounceable passwords

syschpw system generates character only passwords

sysltpw system generates letter only passwords

umaxlntr max number of consecutive unsuccessful logins allowed

tmaxlntr max number of consecutive unsuccessful logins allowed

per terminal

dlylntr time delay between unsuccessful login attempts

lntmout login timeout in seconds

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.

---------------------------------------------------------------------------



modprpw (1M) modprpw (1M)

NAME

modprpw - modify a user's protected database

USAGE

/usr/lbin/modprpw [-A][-E|V][-e|v][-k][-w][-x]

-[m opt=value[,opt=value]] logonid

modprpw updates the user Protected Database options with the values specified.

It is the users responsibility to validate all options and values before

execution.

Any fields not specified remain unchanged in the database.

OPTIONS

-A Add a new user. Requires -m uid=value and returns the admin

number the user must use as a password to login the first time.

Logonid must not already exist and can not be used with

-k, -w or -x options.

-E Expire all passwords by removing the last successful login time

from all users. All users will need to enter new passwords at

next login. Loginid or any other options are not valid with

this option.

-e Expire the password of a specific logonid.

-k Unlock or re-enable a specific logonid.

-m Modify option specified below. If an invalid option is provided

"invalid-opt" will be displayed and processing terminated.

-m options are valid only with -A (add new user) or

-k (unlock user).

Boolean values are specified as YES, NO or DFT (default).

The value=-1 indicates that the value in the database is to be

removed, and the system default value used.

Options:

uid=value logonid's uid

bootpw=YES/NO boot authorization flag

audid=value audit id

audflg=value audit flag

mintm=value minimum days allowed between password changes

exptm=value password expiration time in days

lftm=value password lifetime in days

acctexp=value account expiration in calendar date format

llog=value maximum time allowed between logins in days

expwarn=value password expiration warning time in days

usrpick=YES/NO/DFT user allowed to pick passwords

nullpw=YES/NO/DFT null passwords allowed (NOT RECOMMENDED!)

maxpwln=value maximum password length allowed

rstrpw=YES/NO/DFT restricted passwords - checked for triviality

syspnpw=YES/NO/DFT system generates pronounceable passwords

syschpw=YES/NO/DFT system generates character only passwords

sysltpw=YES/NO/DFT system generates letter only passwords

admnum=value administrative number assigned

timeod=value time of day allowed for login

umaxlntr=value maximum number of unsuccessful logins allowed

alock=YES/NO/DFT administrative lock

The format of the timeod value is:

key0Starttime-Endtime,key1Starttime-Endtime,...

keynStarttime-Endtime

key has the value:

Mo - Monday Sa - Saturday

Tu - Tuesday Su - Sunday

We - Wednesday

Th - Thursday Any - all days

Fr - Friday Wk - Monday - Friday

Starttime and Endtime are hhmm 24 hour format times

where hh = 00 - 23, and mm = 00 - 59

-V Start password aging for all users by setting the last successful

login time to the curent time. No logonid or other arguments are

allowed.

-w Change the logonid's encrypted password. Not valid with any other

option.

Use: -w encrypted_password

-x Remove user's password and return an admin number the user must

logon with and pick a new password. Not valid with any other

option.

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

3 protected database not found for logonid

4 can not change entry

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.

---------------------------------------------------------------------------



modprdef (1M) modprdef (1M)

NAME

modprdef - modify default database

USAGE

/usr/lbin/modprdef -m option=value[,option=value]

modprdef updates the Default Database options with the values specified.

It is the users responsibility to validate all options and values before

execution.

Any fields not specified remain unchanged in the database.

OPTIONS

-m Modify option specified below. If an invalid option is provided

"invalid-opt" will be displayed and processing terminated.

Boolean values are specified as YES, NO.

Options:

bootpw=YES/NO boot authorization flag

mintm=value minimum days allowed between password changes

exptm=value password expiration time in days

lftm=value password lifetime in days

llog=value maximum time allowed between logins in days

expwarn=value password expiration warning time in days

usrpick=YES/NO user allowed to pick passwords

nullpw=YES/NO null passwords allowed (NOT RECOMMENDED!)

maxpwln=value maximum password length allowed

rstrpw=YES/NO restricted passwords - checked for triviality

syspnpw=YES/NO system generates pronounceable passwords

syschpw=YES/NO system generates character only passwords

sysltpw=YES/NO system generates letter only passwords

umaxlntr=value maximum number of unsuccessful logins allowed

tmaxlntr=value maximum number of consecutive unsuccessful

logins allowed per terminal

dlylntr=value time delay between unsuccessful login attempts

lntmout=value login timeout in seconds

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

NOTE. This is an undocumented command and not supported for direct use by

end users.
There is no substitute to HARDWORK
Reply
Marco Santerre
Honored Contributor

‎12-10-2003 11:59 PM

‎12-10-2003 11:59 PM

Re: Password Settings in Trusted Mode

Thanks guys,

I knew about looking in each users, but the thing is that I needed the file/settings that are geenrally used when a user is added.. /tcb/files/auth/system/default and getprdef is what I was looking for.
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-11-2003 12:50 AM

‎12-11-2003 12:50 AM

Re: Password Settings in Trusted Mode

And just to complicate things a slight boit more: the file /etc/default/security may also contain user login and password restrictions. man security will tell you about these. Enclosed is a script that will summarize the current security settings.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.