HPE Community
Operating System - HP-UX
1834789 Members
2646 Online
110070 Solutions
New Discussion

Re: passwords expired and restrictions now in place.

 
Paul Wright
Advisor

‎09-06-2002 11:17 AM

‎09-06-2002 11:17 AM

passwords expired and restrictions now in place.


This afternoon ALL of the passwords on our test machine expired (no warnings). When I tried to restore the passwords to what they were, I was confronted with restrictions that were not there before. Before I could have a login ID = bill and the password could = bill. Now it will not allow a password to = a login ID and the password has to be at least 6 characters. I have no idea how any of this started but I would really like to get rid of the restrictions on the passwords......HELP.

Thanks in advance

Paul
0 Kudos
Reply
10 REPLIES 10
Ray Brewer
Valued Contributor

‎09-06-2002 11:35 AM

‎09-06-2002 11:35 AM

Re: passwords expired and restrictions now in place.

have you converted to a trusted system and which OS are you on?
If you are on a trusted system then all or at least most of the restrictions can be disabled in sam under "Auditing and Security". Also if you are on an 11.0 or greater system you can define the minimum password length in /etc/default/security. This file may not exist so you may have to create it. see "man security" forthe syntax and options used in this file.

Ray
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎09-06-2002 11:46 AM

‎09-06-2002 11:46 AM

Re: passwords expired and restrictions now in place.

if secure system conversion was done, it can be reversed. If you want passwords = to usernames, then I can see no reason why you would care to be a trusted system. SAM can be used to reverse the changes for trusted system. You may want to check with any other admins who have root access.. make sure they were not trying out the concept. When/if trusted system reversed, the root user can set a password to whatever is desired... though I would recommend a change from the desired convention to something at least lightly secure. If this system shares the network with production machines, you could be setting yourself up for a serious compromise.

For Trusted system stuff... in sam

go to "Auditing and Security" and then "System Security Policies"
0 Kudos
Reply
Paul Wright
Advisor

‎09-06-2002 12:21 PM

‎09-06-2002 12:21 PM

Re: passwords expired and restrictions now in place.

I have HPUX 11.0. The "Auditing & Security" section of SAM does not allow you to set MINIMUM characters for a password, only for maximum. And how do you reverse a trusted system?????????
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎09-06-2002 12:39 PM

‎09-06-2002 12:39 PM

Re: passwords expired and restrictions now in place.

highlight the "System Securities Policies" and hit enter... it should return with either a prompt that you need to make this a trusted system to proceed... or move you to the next level. If you get the first one, it is not a trusted system. Also look at your /etc/passwd file.... if a shadow file is in use, then you will no longer see the encrypted password in this file... that is normally the second field on any line (deliminated by :)
0 Kudos
Reply
Michael Tully
Honored Contributor

‎09-06-2002 01:13 PM

‎09-06-2002 01:13 PM

Re: passwords expired and restrictions now in place.

Looks like someone has 'trusted' your system. If you don't who, perhaps after this is fixed, change the root password.

The easiet way to un-trust a system is to run:

# tsconvert -r

Make sure that you have a couple of sessions logged on as 'root' already.

HTH
Michael

PS Trusting a system will *immediately* expire all passwords on your system.
Anyone for a Mutiny ?
0 Kudos
Reply
Ray Brewer
Valued Contributor

‎09-08-2002 11:21 AM

‎09-08-2002 11:21 AM

Re: passwords expired and restrictions now in place.

You are correct SAM does not allow you to set a minimum password length. This is where the file /etc/defaults/security comes in. read the man page on "security"
0 Kudos
Reply
MAD_2
Super Advisor

‎09-08-2002 11:45 AM

‎09-08-2002 11:45 AM

Re: passwords expired and restrictions now in place.

Michael, I have a couple of questions regarding a switch to Trusted Mode. I will be switching one of my systems to "trusted" soon and you mentioned that all passwords are immediately expired, here are my questions:

Once switched to trusted, can the passwords be set to the same they were before the switch occurs? Currently all my passwords are 8 characters long or less and all have combinations of letters and numbers (non-english words, and with the numbers in between they are really not of any language).

Also, I read something about generation of "Authorization Numbers" when new accounts are created under the "Managing Passwords and System Access" of the HP-UX System Administration Tasks manual. How does this work? Is this number used the first time as a password for new users before their password generation?
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
Darren Prior
Honored Contributor

‎09-09-2002 12:57 AM

‎09-09-2002 12:57 AM

Re: passwords expired and restrictions now in place.

Paul,

How many other people have root access to this machine? The symptoms you have provided suggest that the system has been trusted. Before you just go and untrust the system, please check with your fellow administrators to find out who trusted it and why.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Ray Brewer
Valued Contributor

‎09-09-2002 08:08 AM

‎09-09-2002 08:08 AM

Re: passwords expired and restrictions now in place.

Adam,
Simply switching to trusted does not expire all passwords. In the Auditing and Security section of SAM there is an option to expire all passwords immediatly. This is something that can be selected at the time of conversion of any time after that. By default it does not expire passwords. As long as all of your passwords are 8 characters or less they will be fine. There are several password rules that you can enforce but it is entirely up to what your needs are. As far as "Authorization Numbers" I have no information on that so maybe someone else can answer that part. I do know that with a trusted system you are given choices as to how a password is generated, either system, pronouncable, or pick your own. I think there are a couple of others too.

Ray
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-09-2002 08:26 AM

‎09-09-2002 08:26 AM

Re: passwords expired and restrictions now in place.

Hi,

When a system is converted to trusted, "by default", the passwords will be expired. No need to panic. You can turn it off by using either SAM -> Auding and Security -> System Security Policies -> Password Aging Policies -> Password Aging (disable)

or using the command line ""/usr/lbin/modprdef -m exptm=0" immediately after converting the system to trusted.

Another important parameter that may annoy you is "unsuccessful Login Tries allowed" under "General User Account Policies" if it is set to the default value of 3. Particularly for root. You may selectively change these parameters by selecting the user in "Users and Groups" and options menu.


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.