HPE Community
Operating System - HP-UX
1837183 Members
2999 Online
110113 Solutions
New Discussion

Setting Password restrictions w/o a trusted system

 
Ted Blahunka
Occasional Advisor

‎08-03-2001 01:11 PM

‎08-03-2001 01:11 PM

Setting Password restrictions w/o a trusted system

Does anyone know if/how it is possible to set
password restrictions ( alpha/numeric, min
length, history checks, etc) without going to
a trusted system?

Thanks

0 Kudos
Reply
2 REPLIES 2
Michael Tully
Honored Contributor

‎08-03-2001 01:50 PM

‎08-03-2001 01:50 PM

Re: Setting Password restrictions w/o a trusted system

Hi Ted,

Before the invention of trusted systems you could put a letter and number combination in your password file. Thi still works today. I managed to fin this in old HP System Admin Student Workbook.
At the end of the encrypted password you add ,char1char2
char1 is the maximum number of weeks the password is valid and char2 is the minimum number of weeks that must pass before the password can be changed. The following is a good guide:

Value # of weeks
. 0
/ 1
0-9 2-11
A-Z 12-37
a-z 38-63

so for example if you wanted a user to change their password somewhere between 11 and 2 weeks you would put ,A9

HTH
-Michael
Anyone for a Mutiny ?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎08-03-2001 02:20 PM

‎08-03-2001 02:20 PM

Re: Setting Password restrictions w/o a trusted system

Hi Ted's:

Micheal's suggestions fall under 'password aging' and are documented in man 4 passwd.

I assume you are running NIS and that is why you don't want to convert to a trusted system.

In any event, to get beyond the simple improvements aging buys you, you have to become a C programmer. If you are running NIS,
there is a library routine, yppasswd that will
manipulate the passwd map and push the new passwd's to the client. Man 3N yppasswd for details.You would also then have to code a replacement for the yppasswd comand itself with all the restrictions you wish to apply.

You can also do the same thing with the passwd command; there are commands to manipulate the passwd file itself: getpwent() and putpwent() for details.

Your other option is to look into the 'PAM' (Pluggable Authenication Module) package.

The good news is that none of these is very difficult and you can make your rules as restrictive as you like. I can give you a hint as to how to reject passwd's as too easy and it's very easy to implement. After stripping numerics and punctuation from potential passwd's, you should then invoke the spell command as a system call. The rule is then if spell thinks it's a good word then it's a bad passwd. It also traps many common names. My user's think this is very irritating and forces them to generate creative and therefore good passwd's.

Regards, Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.