HPE Community
Operating System - HP-UX
1832152 Members
3376 Online
110038 Solutions
New Discussion

System Default expire and lifetime.

 
brian_31
Super Advisor

‎11-09-2007 03:32 AM

‎11-09-2007 03:32 AM

System Default expire and lifetime.

I am running HP-UX11.11 and I am getting the following messages from my security s/w (symantec)regarding

lp has a greater expire time than the system default expire time

lp has a longer lifetime than the system default lifetime

The same message repeats over for all the Id's.

What is the default lifetime and expire time for an ID?

Thanks

Brian.
0 Kudos
Reply
6 REPLIES 6
Tim Nelson
Honored Contributor

‎11-09-2007 03:37 AM

‎11-09-2007 03:37 AM

Re: System Default expire and lifetime.

either use SAM to view security defaults or execute getprdef -m .

I would expect that daemon IDs like lp and others would always report this as they are daemon IDs that users do not have access to, they are completely disabled from username/password standpoint.

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-09-2007 03:37 AM

‎11-09-2007 03:37 AM

Re: System Default expire and lifetime.

Those values are defined in /tcb/files/auth/system/default.
If it ain't broke, I can fix that.
0 Kudos
Reply
brian_31
Super Advisor

‎11-09-2007 03:54 AM

‎11-09-2007 03:54 AM

Re: System Default expire and lifetime.

I have the passwd expiring at 90 days and lifetime at 90..is this wrong?

Thanks

Brian
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-09-2007 04:08 AM

‎11-09-2007 04:08 AM

Re: System Default expire and lifetime.

The typical value is for no system default lifetime but a finite expiration time (60-90 days is common). The idea is that most users do not have a lifetime and as long as they login within the expiration period their accounts do not expire --- the clock is reset with each login. For users such as contractors, it is common to set a lifetime on their individual accounts. However, there are no right or wrong values as those are determined by your company's policies.

Man prpwd for details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎11-09-2007 04:15 AM

‎11-09-2007 04:15 AM

Re: System Default expire and lifetime.

Not neccessarily wrong but here is what could happen.

Lifetime is the number of consequtive days of non use.

If a user does not log into a system but in 90 days rememebers to reset their password then the account will already be disabled due to the lifetime. So you are not giving the user, although they are not using the system, a chance to change their password.

I would set this to 90 password expire and maybe 120 days lifetime. This way the user has a chance to change their password and keep the account active even though they currently may not need it. ( rules are different for different situations, adjust as you see fit ).

To address the initial question. It is irrelevant to set the password expire on a daemon account like lp as the account is disabled from login and has no password anyway.

I guess you could set it just to make your security checking happy :)

If you run a "/usr/lbin/getprpw lp" you will see that this account is locked.
0 Kudos
Reply
skt_skt
Honored Contributor

‎11-10-2007 10:22 AM

‎11-10-2007 10:22 AM

Re: System Default expire and lifetime.

that looks normal

see an example

#/usr/lbin/getprpw lp
uid=9, bootpw=NO, audid=6, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=Fri Nov 30 09:15:20 2001, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Tue Nov 13 18:17:11 2001, ulogint=Mon Nov 26 11:03:44 2001, sloginy=-1, culogin=1, uloginy=pts/tj, umaxlntr=-1, alock=YES, lockout=1100011

see the lockout fields.

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.