HPE Community
Operating System - HP-UX
1833452 Members
3303 Online
110052 Solutions
New Discussion

Set PASSWORD within the users .profile

 
SOLVED
Go to solution
patrick coutinho
Frequent Advisor

‎05-03-2004 12:58 AM

‎05-03-2004 12:58 AM

Set PASSWORD within the users .profile

Hi,

I am facing an unique situation. I have a user who uses a thin client application software namely Oracle Financial Analyser to access the Oracle Database for reporting purposes. This thin client needs an OS user to be available for this purpose. Initially what i did is to restrict all telnet access for this user and only allow ftp access. this i have achieved by assigning a "/usr/bin/false" shell to this user.

Now the problem is, what happens when the user's OS level password expires, which is set to 30 days. Since the user does not have any telnet access, he cannot change/choose another password.

Suppose i give the user telnet access and then edit his .profile file to include only the command for password changing and then exit. This is an idea i had.

Please give me any/all suggestion on how to go about achieving this. To sum it up the user needs to be able to change his OS login password every 30 days, in order to access the Oracle Financial Analyser apps. And i need to keep it secure. Don't want the user to have any shell access.

Need all the ideas, scripts etc that i can get to achieve this. Thanks to everyone in advance.

Many thanks & Regards,

Patrick
0 Kudos
Reply
8 REPLIES 8
KapilRaj
Honored Contributor

‎05-03-2004 01:06 AM

‎05-03-2004 01:06 AM

Re: Set PASSWORD within the users .profile

Do u really wants his password to be expired ?. Why don't u change the policy ?

Kaps
Nothing is impossible
0 Kudos
Reply
Fred Ruffet
Honored Contributor

‎05-03-2004 01:10 AM

‎05-03-2004 01:10 AM

Solution

Re: Set PASSWORD within the users .profile

If you use his .profile to make passwd and exit, and if he can do ftp, he can replace his own .profile...

You should maybe add /usr/bin/passwd as a valid shell in /etc/shells and give him this shell. As long as he has a valid shell he can ftp, but when he makes telnet, it launches passwd then exit.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Reply
Robert-Jan Goossens
Honored Contributor

‎05-03-2004 01:11 AM

‎05-03-2004 01:11 AM

Re: Set PASSWORD within the users .profile

Patrick,

I disable the user, only when they call I enable it for the periode they need.

Regards,
Robert-Jan
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎05-03-2004 01:22 AM

‎05-03-2004 01:22 AM

Re: Set PASSWORD within the users .profile

Hi Patrick,
We have user similar like and we set his policy such that pasword never expires.
I don't see any harm in that. In case you want to keep on modifiying the password let the administrator spare somtime doing that once in 15 days.
You need to know a lot to actually know how little you know
0 Kudos
Reply
generic_1
Respected Contributor

‎05-03-2004 02:31 PM

‎05-03-2004 02:31 PM

Re: Set PASSWORD within the users .profile

Give the user sudo access to change the password only for that account and have them login in though a regular account through ssh of their own to do it :). That would save you some headache, but not the user.
Reply
Senthil Kumar .A_1
Honored Contributor

‎05-03-2004 05:13 PM

‎05-03-2004 05:13 PM

Re: Set PASSWORD within the users .profile

hello patrick,

The best option would be to make the password's never expire. You can intervene as administrator if the passwords nedd be changed.To set a non-expiring password do as follows.

For non-expiring password the time frame for max days(-x) should be less than time frame meant for min days(-n).for exammple if the user is "tom"

Then,
#passwd -x 1 -n 2 tom

I hope this solves the issue,

regard's
senthil
Let your effort be such, the very words to define it, by a layman - would sound like a "POETRY" ;)
0 Kudos
Reply
Robert True
Frequent Advisor

‎05-04-2004 12:43 AM

‎05-04-2004 12:43 AM

Re: Set PASSWORD within the users .profile

Just an added word on senthil's advice:

the value of 'x' must be 0, while 'n' can be anything greater than '0', in order to prevent the user from changing the passwd, at least on my untrusted systems.

As an aside: if root changes the passwd (ie: 'passwd ') then 'passwd -x 0 -n 1 ' must be run again afterward. The passwd cmd by itself will remove the passwd aging bits, in this (x < n) combination. Again this is on my untrusted systems.

Looking at this has solved the puzzle of disappearing 'root only passwd changes' on my systems. If I am missing a patch or something, I don't know.
0 Kudos
Reply
patrick coutinho
Frequent Advisor

‎05-07-2004 07:56 PM

‎05-07-2004 07:56 PM

Re: Set PASSWORD within the users .profile

Thanks everyone. My problem was resolved with Fred's advice. I have used the shell /usr/bin/passwd and now the user can only change his password on login and then exits. Thanks Fred, and thanks everyone else who have contributed with their valuable advice. Points assigned. Sorry for the delay.

One question, as Fred put it, if a user has ftp access only, he can still ftp a .profile file of his own creation to his directory and then get full privileges. That's true is it not ? Any ideas on how to address this security issue.

Thanks & Rgds

Pat
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.