Re: Prevent user from changing their password

Thomas Corner · ‎07-31-2006

Is there a way in HPUX to disable a users ability to change their password.
Thanks in advance.

Mel Burslan · ‎07-31-2006

If you are not running in a trusted computing environment, this command will modify the USER's password change ability from self to changeable by superuser-only:

/usr/sam/lbin/usermod.sam -p *,./ $USER

as you can guess, since this is a SAM specific command script, it is not supported by hp and may change at any time.

________________________________
UNIX because I majored in cryptology...

Jaime Bolanos Rojas. · ‎07-31-2006

Thomas,

I have never done something like, but if it's possible to implemented it is done converting your server to a trusted system.
You basically want to go to sam, auditing and security, audited users and if your system is not converted to trusted it will ask you to, if not go to the actions menu and select convert system.

After it select a user and play the the policies available for it.

Regards,

jaime.

Work hard when the need comes out.

Victor Fridyev · ‎07-31-2006

I don't understand the reason for that, but you can rename /usr/bin/passwd.

Just curiosity: why do you need this ?

Entities are not to be multiplied beyond necessity - RTFM

A. Clay Stephenson · ‎07-31-2006

It can even be done on an untrusted system by enabling passwd aging. If the minimum time between changes is set less than the maximum allowed passwd age, then a normal user is not allowed to change the password. Man 4 passwd for details.

If it ain't broke, I can fix that.

Thomas Corner · ‎07-31-2006

I should have stated that this is a HPUX 11.0 system in trusted mode. There are no options in SAM to prevent the user from changing their password, or a CLI comamnd that I'm aware of.
The reason I need to do this is the password was changed but the user deny's any knowledge of doing it.

Thomas Corner · ‎07-31-2006

Thanks everyone for the replies so far.
A. Clay Stephenson,
I was thinking along those lines however we have over 450 users on this system and I need to prevent just one user. If I enabled password
aging, I believe it could potentially break numerous other accounts and scripts. Is there a way to enable password aging for one account?
Thanks

inventsekar_1 · ‎07-31-2006

Thomas,
u can use passwd aging for one user alone.

passwd aging is simply for one user only.

"man passwd" will give you information

Be Tomorrow, Today.

Thomas Corner · ‎07-31-2006

Thanks everyone, especially A. Clay Stephenson & Sekar,
I read the man pages before posting, but the answer didn't jump out at me. I will give it a try.

A. Clay Stephenson · ‎07-31-2006

Passwd aging on an untrusted system can only be set on a user-by-user basis so that would not be a problem. The solution on a trusted system is quite similar (and analogous) to the untrusted system; you change the equivalent field for that user in his TCB entry. Do a man 4 prpwd and have a look at the u_minchg field and see if a solution doesn't pop into your head. If no solution pops into your head then apply a few light taps with a small ball-peen hammer and see if anything "pops"; if that fails after displaying the man 4 prpwd page then read it. The TCB entry is a text file and can be manipulated directly with a text editor or via the modprpw command.

If it ain't broke, I can fix that.

inventsekar_1 · ‎07-31-2006

-n min Determine the minimum number of days, min, that must
transpire before the user can change the password.

-x max Determine the maximum number of days, max, a password
can remain unchanged. The user must enter another
password after that number of days has transpired,
known as the password expiration time.

----------------------------------------------------------
now, if min days is greater than max days, the user able to cannt change their password.

try like this (as a root):
passwd -n 10 -x 5 username

Be Tomorrow, Today.

Peter Nikitka · ‎08-01-2006

Hi,

I have a cronjob running on each (NIS)-Server which checks the /etc/passwd (+ /etc/shadow if used) and collects and analyzes changes.
These are reported to a logfile, so I can tell the user, when a password (or other data of his acount) have changed.

I cannot attach the script now, but I will do it on request tomorrow.

mfG Peter

The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"

Michael D. Zorn · ‎08-01-2006

Peter Nikitka:

"I have a cronjob running on each (NIS)-Server which checks the /etc/passwd (+ /etc/shadow if used) and collects and analyzes changes."

Are you running auditing? I think that would pick up 'passwd' changes.

Still, your method may be simpler.

Marvin Strong · ‎08-01-2006

Hey Tom,
Did you check their shell history and see if they ran the passwd command? Unless they killed the history file. That should be an easy way to prove they did it.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Prevent user from changing their password

Prevent user from changing their password