HPE GreenLake Administration
Operating System - HP-UX
1829576
Members
2801
Online
109992
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2004 11:17 PM
10-14-2004 11:17 PM
Password
Hi,
1) Why the default password expire is 42 days? Is there any meaning or it is a worldwide standard?
2) What is the maximum password length for non trusted and trusted system?
3) How to set in SAM whoever doesn't change their password after expire (After 42 days), system will auto lock their account? Can I all to all the users except some privilege users?
regards.
1) Why the default password expire is 42 days? Is there any meaning or it is a worldwide standard?
2) What is the maximum password length for non trusted and trusted system?
3) How to set in SAM whoever doesn't change their password after expire (After 42 days), system will auto lock their account? Can I all to all the users except some privilege users?
regards.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2004 11:26 PM
10-14-2004 11:26 PM
Re: Password
Hi,
Password expiry is depend on your configuration. In HPUX 11.xx you can define this in /etc/default/security file (PASSWORD_MAXDAYS=n). Here n is number of days.In 10.2 there is no /etc/default/security file so you have to set this value using #passwd -x n (hear n is number of days which will be converted in nearest number of weeks)
2. Minimum password length is 6 in nontrusted system (super user can set passwd less then this for any user)
3. User password will expire after 42 days in your case and it will not allow user to login if he don't change his password. You can locak user if he did not login for n number of days but this feature is available in trusted mode only. after converting system to trusted mode you can user usermod command to do this. see -f and -e option of usermod command in man page.
Sunil
Password expiry is depend on your configuration. In HPUX 11.xx you can define this in /etc/default/security file (PASSWORD_MAXDAYS=n). Here n is number of days.In 10.2 there is no /etc/default/security file so you have to set this value using #passwd -x n
2. Minimum password length is 6 in nontrusted system (super user can set passwd less then this for any user)
3. User password will expire after 42 days in your case and it will not allow user to login if he don't change his password. You can locak user if he did not login for n number of days but this feature is available in trusted mode only. after converting system to trusted mode you can user usermod command to do this. see -f and -e option of usermod command in man page.
Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 12:00 AM
10-15-2004 12:00 AM
Re: Password
There are no controls for locking accounts if your system is not Trusted. When it is Trusted (SAM can perform this for you) then you can set system-wide defaults for password controls as well as individual settings. See the man page for security. Note that if you are running old software (HP-UX 11.00 or earlier) many of these features do not exist. 11.00 can have most of these features but only if you are up to dat on security patches. You can see the latest man page on http://docs.hp.com
1. 42 days is the default setting on your current system. You can change this with SAM.
2. As mentioned, 8 characters is the maximum for an UnTrusted system, and you can define the maximum length in SAM under the Auditing section, System Security Policies. The range is 1 through 40 (SAM will prompt you)
3. If a user's password expires, they cannot login until they change it. If the user never logs in, you can set the account to lock automatically by choosing Auditing->System Security Policies and the General User Account values. Set the value for Maximum Inactive Time (days) to 42 and now any account that is not used (no login) for 42 days will be locked. You can also set a time to lock the account if the password is not changed. It is called Password Life Time (days) and is in the section Password Aging Policies. Note that Password Life Time must be longer than Password Expiration Time. The Expiration time is the time when the password must be changed. The account is not locked but the user must change the password before a login can be completed. Exceeding the Password Life Time means that the account will be immediately locked and only root can unlock the account.
Bill Hassell, sysadmin
1. 42 days is the default setting on your current system. You can change this with SAM.
2. As mentioned, 8 characters is the maximum for an UnTrusted system, and you can define the maximum length in SAM under the Auditing section, System Security Policies. The range is 1 through 40 (SAM will prompt you)
3. If a user's password expires, they cannot login until they change it. If the user never logs in, you can set the account to lock automatically by choosing Auditing->System Security Policies and the General User Account values. Set the value for Maximum Inactive Time (days) to 42 and now any account that is not used (no login) for 42 days will be locked. You can also set a time to lock the account if the password is not changed. It is called Password Life Time (days) and is in the section Password Aging Policies. Note that Password Life Time must be longer than Password Expiration Time. The Expiration time is the time when the password must be changed. The account is not locked but the user must change the password before a login can be completed. Exceeding the Password Life Time means that the account will be immediately locked and only root can unlock the account.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 01:15 AM
10-15-2004 01:15 AM
Re: Password
1. you can (should) setup your own. Security rules recomend to change password each 1 month. Se USer security policy - There is a possibility to setup
a) how many days system ask you to change passwd before expiration
a2) whe system expires you are immediatellu asked to change passwd
b) how many days after expiration is account locked.
2) min6 max 40
3)in user policy setup 0 days after expiration
SAM-> auditing&security->general user account policies
a) how many days system ask you to change passwd before expiration
a2) whe system expires you are immediatellu asked to change passwd
b) how many days after expiration is account locked.
2) min6 max 40
3)in user policy setup 0 days after expiration
SAM-> auditing&security->general user account policies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 05:35 PM
10-15-2004 05:35 PM
Re: Password
Hi,
Still hv some points that is not clear.
For all the users,
i) under Password Aging Policies, I have set as below
Password Expiration Time (days): 42
Password Life Time (days): 999
ii) under General User Account Policies, I have set as below
Lock Inactive account is disabled
Q1) How to set if the user is not login within 42 days, then system will locked the user account and not disable it? Only root can reactivated the locked account.
Q2) How to set if the user is not login AFTER 42 days, then system will locked the user accoung and not disable it? Only root can reactivated the locked account.
Q3) For above Q1) and Q2), how to exclude some of the users for the above settings?
Q4) I hv gone through the help in SAM but still quite confuse about
i) Password Life Time
ii) Lock Inactive User Accounts and Maximum Inactive Time for User Account
regards.
Still hv some points that is not clear.
For all the users,
i) under Password Aging Policies, I have set as below
Password Expiration Time (days): 42
Password Life Time (days): 999
ii) under General User Account Policies, I have set as below
Lock Inactive account is disabled
Q1) How to set if the user is not login within 42 days, then system will locked the user account and not disable it? Only root can reactivated the locked account.
Q2) How to set if the user is not login AFTER 42 days, then system will locked the user accoung and not disable it? Only root can reactivated the locked account.
Q3) For above Q1) and Q2), how to exclude some of the users for the above settings?
Q4) I hv gone through the help in SAM but still quite confuse about
i) Password Life Time
ii) Lock Inactive User Accounts and Maximum Inactive Time for User Account
regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 06:49 PM
10-15-2004 06:49 PM
Re: Password
Hi,
Let me try to clarify some of the definitions and then you can see how you can use them to set what you want.
Expiration Time: After this, the password will expire. Account will not be locked. In your case, passwords will expire after 42 days. Users will be prompted to change their password whenever they login until they change.
Lifetime: This is the time after which, the account will be locked if the password is not changed. Only root can unlock the account.
Now there are couple more things you need to consider. Enable "Lock Inactive Accounts" in "General User Account Policies" window. You will see "Maximum Inactivity Time" This specifies how longer the user account should be allowed active if it is not accessed.
Your Q1 and Q2 are looking the same. So, the answer is
Set your Maximum Inactivity Time to 42. This way only root can unlock the account. User will need to change this/her password anyway as this setting passes the expiration time too.
The difference between 'lifetime' and 'inactive time' is all about the 'password'. If the password is not changed within the 'lifetime', then the account will be locked. If the user doesn't access the account for 'inactive time', then the account will be locked.
For individual users, you will have to select (mulitple) in SAM 'users area' and set the policies individually. Or you can simply use the following script
for USER in user1 user2 user3 user4
do
modprpw -m exptm=0,lftm=0,llog=0 $USER
done
-Sri
Let me try to clarify some of the definitions and then you can see how you can use them to set what you want.
Expiration Time: After this, the password will expire. Account will not be locked. In your case, passwords will expire after 42 days. Users will be prompted to change their password whenever they login until they change.
Lifetime: This is the time after which, the account will be locked if the password is not changed. Only root can unlock the account.
Now there are couple more things you need to consider. Enable "Lock Inactive Accounts" in "General User Account Policies" window. You will see "Maximum Inactivity Time" This specifies how longer the user account should be allowed active if it is not accessed.
Your Q1 and Q2 are looking the same. So, the answer is
Set your Maximum Inactivity Time to 42. This way only root can unlock the account. User will need to change this/her password anyway as this setting passes the expiration time too.
The difference between 'lifetime' and 'inactive time' is all about the 'password'. If the password is not changed within the 'lifetime', then the account will be locked. If the user doesn't access the account for 'inactive time', then the account will be locked.
For individual users, you will have to select (mulitple) in SAM 'users area' and set the policies individually. Or you can simply use the following script
for USER in user1 user2 user3 user4
do
modprpw -m exptm=0,lftm=0,llog=0 $USER
done
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2004 01:26 AM
10-16-2004 01:26 AM
Re: Password
Hi,
this may be a useful doc,
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
Hope this helps.
regds
this may be a useful doc,
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
Hope this helps.
regds
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP