HPE Community
Operating System - HP-UX
1834170 Members
2884 Online
110064 Solutions
New Discussion

Prevent user from changing their password

 
SOLVED
Go to solution
Thomas Corner
New Member

‎07-31-2006 06:57 AM

‎07-31-2006 06:57 AM

Prevent user from changing their password

Is there a way in HPUX to disable a users ability to change their password.
Thanks in advance.
0 Kudos
Reply
13 REPLIES 13
Mel Burslan
Honored Contributor

‎07-31-2006 07:09 AM

‎07-31-2006 07:09 AM

Re: Prevent user from changing their password

If you are not running in a trusted computing environment, this command will modify the USER's password change ability from self to changeable by superuser-only:

/usr/sam/lbin/usermod.sam -p *,./ $USER

as you can guess, since this is a SAM specific command script, it is not supported by hp and may change at any time.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎07-31-2006 07:10 AM

‎07-31-2006 07:10 AM

Re: Prevent user from changing their password

Thomas,

I have never done something like, but if it's possible to implemented it is done converting your server to a trusted system.
You basically want to go to sam, auditing and security, audited users and if your system is not converted to trusted it will ask you to, if not go to the actions menu and select convert system.

After it select a user and play the the policies available for it.

Regards,

jaime.
Work hard when the need comes out.
0 Kudos
Reply
Victor Fridyev
Honored Contributor

‎07-31-2006 07:11 AM

‎07-31-2006 07:11 AM

Re: Prevent user from changing their password

I don't understand the reason for that, but you can rename /usr/bin/passwd.

Just curiosity: why do you need this ?
Entities are not to be multiplied beyond necessity - RTFM
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-31-2006 07:16 AM

‎07-31-2006 07:16 AM

Solution

Re: Prevent user from changing their password

It can even be done on an untrusted system by enabling passwd aging. If the minimum time between changes is set less than the maximum allowed passwd age, then a normal user is not allowed to change the password. Man 4 passwd for details.
If it ain't broke, I can fix that.
Reply
Thomas Corner
New Member

‎07-31-2006 07:20 AM

‎07-31-2006 07:20 AM

Re: Prevent user from changing their password

I should have stated that this is a HPUX 11.0 system in trusted mode. There are no options in SAM to prevent the user from changing their password, or a CLI comamnd that I'm aware of.
The reason I need to do this is the password was changed but the user deny's any knowledge of doing it.
0 Kudos
Reply
Thomas Corner
New Member

‎07-31-2006 07:36 AM

‎07-31-2006 07:36 AM

Re: Prevent user from changing their password

Thanks everyone for the replies so far.
A. Clay Stephenson,
I was thinking along those lines however we have over 450 users on this system and I need to prevent just one user. If I enabled password
aging, I believe it could potentially break numerous other accounts and scripts. Is there a way to enable password aging for one account?
Thanks

0 Kudos
Reply
inventsekar_1
Respected Contributor

‎07-31-2006 07:44 AM

‎07-31-2006 07:44 AM

Re: Prevent user from changing their password

Thomas,
u can use passwd aging for one user alone.

passwd aging is simply for one user only.

"man passwd" will give you information
Be Tomorrow, Today.
Reply
Thomas Corner
New Member

‎07-31-2006 07:59 AM

‎07-31-2006 07:59 AM

Re: Prevent user from changing their password

Thanks everyone, especially A. Clay Stephenson & Sekar,
I read the man pages before posting, but the answer didn't jump out at me. I will give it a try.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-31-2006 08:02 AM

‎07-31-2006 08:02 AM

Re: Prevent user from changing their password

Passwd aging on an untrusted system can only be set on a user-by-user basis so that would not be a problem. The solution on a trusted system is quite similar (and analogous) to the untrusted system; you change the equivalent field for that user in his TCB entry. Do a man 4 prpwd and have a look at the u_minchg field and see if a solution doesn't pop into your head. If no solution pops into your head then apply a few light taps with a small ball-peen hammer and see if anything "pops"; if that fails after displaying the man 4 prpwd page then read it. The TCB entry is a text file and can be manipulated directly with a text editor or via the modprpw command.
If it ain't broke, I can fix that.
0 Kudos
Reply
inventsekar_1
Respected Contributor

‎07-31-2006 08:11 AM

‎07-31-2006 08:11 AM

Re: Prevent user from changing their password

-n min Determine the minimum number of days, min, that must
transpire before the user can change the password.

-x max Determine the maximum number of days, max, a password
can remain unchanged. The user must enter another
password after that number of days has transpired,
known as the password expiration time.

----------------------------------------------------------
now, if min days is greater than max days, the user able to cannt change their password.

try like this (as a root):
passwd -n 10 -x 5 username
Be Tomorrow, Today.
0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎08-01-2006 03:01 AM

‎08-01-2006 03:01 AM

Re: Prevent user from changing their password

Hi,

I have a cronjob running on each (NIS)-Server which checks the /etc/passwd (+ /etc/shadow if used) and collects and analyzes changes.
These are reported to a logfile, so I can tell the user, when a password (or other data of his acount) have changed.

I cannot attach the script now, but I will do it on request tomorrow.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
Michael D. Zorn
Regular Advisor

‎08-01-2006 04:05 AM

‎08-01-2006 04:05 AM

Re: Prevent user from changing their password

Peter Nikitka:

"I have a cronjob running on each (NIS)-Server which checks the /etc/passwd (+ /etc/shadow if used) and collects and analyzes changes."

Are you running auditing? I think that would pick up 'passwd' changes.

Still, your method may be simpler.
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎08-01-2006 04:40 AM

‎08-01-2006 04:40 AM

Re: Prevent user from changing their password

Hey Tom,
Did you check their shell history and see if they ran the passwd command? Unless they killed the history file. That should be an easy way to prove they did it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.