HPE Community
Operating System - HP-UX
1848366 Members
3029 Online
104024 Solutions
New Discussion

Re: root password aging considerations

 
Nikos Katagas
Advisor

‎07-20-2006 08:55 PM

‎07-20-2006 08:55 PM

root password aging considerations

Hi all, i'm wondering what the general consensus is on implementing password aging on root's password on trusted systems.
Obviously a good idea to change the root password once in a while but if the password expires, the root account is disabled... Is there any way to have the root password expire but NOT lock the account and on next login ask the user to change the password?
Thanks in advance.
0 Kudos
Reply
4 REPLIES 4
Darrel Louis
Honored Contributor

‎07-20-2006 09:17 PM

‎07-20-2006 09:17 PM

Re: root password aging considerations

Nikos,

I wouldn't choose for password aging for the root account, you can better choose for a procedure in where you describe how often you want to change the root password and when.

Root account should never expire:
/usr/lbin/getprpw -m lftm,exptm,mintm,acctexp root
lftm=0, exptm=0, mintm=0, acctexp=-1

(Change settings by:
/usr/lbin/modprpw -m lftm=0,exptm=0,mintm=0,acctexp=-1 root)

lftm=0 then password aging disabled.
Acctexp=-1 then account expiration disabled, set to infinity.

Darrel
0 Kudos
Reply
Nikos Katagas
Advisor

‎07-20-2006 10:11 PM

‎07-20-2006 10:11 PM

Re: root password aging considerations

Hi Daryl, thanks for your answer. I guess not implementing password aging for root is indeed the safest solution.
Any other opinions are of course welcome. And if someone can point out a way to have password aging on root but after expiration instead of locking the account, have the user ask for a new passsword, i'd be most grateful.
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎07-20-2006 11:20 PM

‎07-20-2006 11:20 PM

Re: root password aging considerations

Nikos, I do not know if what you are asking is possible, but you can play a little bit around with it. If you go to SAM, users, and then pick and user and go to the actions menu, you are goinng to have some options to play around with.
Talking about root, is never good idea just to use root, I would use sudo to get to the root around and then set the password ageing on the regular user and not in root.
That way if you get lockout it was just a regular user.
In root, you can think of a policy to change the password everyonce in a while if you think it's time to for security reasons.

Regards,

jaime.
Work hard when the need comes out.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎07-21-2006 01:48 AM

‎07-21-2006 01:48 AM

Re: root password aging considerations

We do expire the root password - but the account doesn't get locked.

We use a third party App (now called BoKS Server Control) from Fox Technologies.

As far as changing it, we change it maybe once a year or when someone leaves.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.