HPE Community
Operating System - HP-UX
1829913 Members
1846 Online
109993 Solutions
New Discussion

TRUST and passwd status

 
chin hyeon jung
Advisor

‎10-11-2002 01:35 AM

‎10-11-2002 01:35 AM

TRUST and passwd status

HI
I am administrator of HP-UX machine.
A few days ago I convert normal system to trust system and received today message of expired id.
So I have to check all id of system if there is any expired id.
First check lockout bit using
"/usr/lbin/getprpw -m lockout id "
I think if lockout bits are zero then there is no expired id.
but it does not take much time I was wrong .
After 3 ~5 minutes , I received message of expired id.
when I used "login -x -l id"
there is PS and this means "not LOCK".
Could you help me?
Is there any good idea or good method of finding expired id?
following is result of A id
** get before expired time **
hanatest:/tmp> more j
uid=102, bootpw=NO, audid=10, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=-1, spwchg=Wed Oct 2 02:19:40 2002, upwchg=-1, acctexp=-
1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Sat
Oct 12 01:54:54 2002, ulogint=Wed Oct 2 02:18:01 2002, sloginy=pts/tc, culogin=-1, uloginy=pts/ta, umaxlntr=-1, alock=NO, lockout=
0000000
#logins -x -l admin1
admin2 110 users 20
/staff/admin2
/sbin/sh
PS 100102 30 30 0
ha

*** After expired id ***
/usr/lbin/getprpw admin1
uid=102, bootpw=NO, audid=10, audflg=1, mintm=0, maxpwln=-1, exptm=1, lftm=-1, spwchg=Wed Oct 2 02:19:40 2002, upwchg=-1, acctexp=-
1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Sat
Oct 12 01:54:54 2002, ulogint=Wed Oct 2 02:18:01 2002, sloginy=pts/tc, culogin=-1, uloginy=pts/ta, umaxlntr=-1, alock=NO, lockout=
0000000

#logins admin1

admin1 102 users 20
/staff/admin1
/sbin/sh
PS 100302 0 3 0
ha


0 Kudos
Reply
9 REPLIES 9
Darren Prior
Honored Contributor

‎10-11-2002 03:56 AM

‎10-11-2002 03:56 AM

Re: TRUST and passwd status

Hi,

Take a look at the following document in the knowledge base: USECKBRC00008606

NB: You will need to have your contract linked to your ITRC login to be able to view this.

It contains info and a script to help you find deactivated users.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Emmanuelle
Advisor

‎10-11-2002 05:38 AM

‎10-11-2002 05:38 AM

Re: TRUST and passwd status

hi,

Here is a documentation which could you help
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-11-2002 11:37 AM

‎10-11-2002 11:37 AM

Re: TRUST and passwd status

The attached script will scan every user in the system and report all deactivated users. There is a -v option that shows user IDs that were deactivated (ie, * in passwd file) PRIOR to the conversion to a Trusted system. Most of these are special system accounts that are normally deactivated so the default is to not list them.


Bill Hassell, sysadmin
0 Kudos
Reply
chin hyeon jung
Advisor

‎10-14-2002 12:59 AM

‎10-14-2002 12:59 AM

Re: TRUST and passwd status

Thanks for help me !!
But thst is not enough
try this !
First make A id and check telnet services if it possible
In this step I get
exptm=-1,lftm=-1,expwarn=-1,lockout=0
Now I change the exptm field by modprpw
modprpw -m exptm=2
And then change day by date
date 10141000 (from 10111000)
Now I must get message
"Your passwd was expired"
At this point the result is following
exptm=2,lftm=-1,expwarn=-1,lockout=0

Try this yourself !!
using lockout field We can't find expired id.

Whats wrong!!!
I can't find out this
0 Kudos
Reply
Christian Gebhardt
Honored Contributor

‎10-14-2002 01:49 AM

‎10-14-2002 01:49 AM

Re: TRUST and passwd status

Hi
on trusted system you can find information about users in the files
/tcb/files/auth/...

for example root:
/tcb/files/auth/r/root

Here you can find parameters for all Security User-Settings:
u_life# password life time
...
If an acount is disabled you will find an entry in this files.
So you can do a
find /tcb/files/auth -type f -exec grep u_lock {} \;

u_lock@ is ok
u_lock: means that this user was locked

Chris
0 Kudos
Reply
Darren Prior
Honored Contributor

‎10-14-2002 02:24 AM

‎10-14-2002 02:24 AM

Re: TRUST and passwd status

Hi,

Your example in your last post shows that lockout=0, so the account should not be expired. Check the u_lock parm using getprpw -m alock to see if the admin lock is on.

Your other variables for the user are set to the system defaults so you may wish to check to see what these are set to.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
chin hyeon jung
Advisor

‎10-16-2002 04:33 PM

‎10-16-2002 04:33 PM

Re: TRUST and passwd status

NO Every reply is not enough!!
however, I found that lftm is greater than exptm when I use samlog!!
May be this will be answer!!
Is there any rule of aging
Do you know ??
reply me please!!
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-16-2002 04:55 PM

‎10-16-2002 04:55 PM

Re: TRUST and passwd status

There are no actual rules for aging. These are generally made by company auditors and or IT security managers.

As a guideline this what you could use.

Maximum 60 days between password changes. (in SAM 'Password Expiration Time days')
Minimum 7 days between password changes. (in SAM 'Time between password changes')
Password Expiration time (if you wish)
Password Life time 90 days
Anyone for a Mutiny ?
0 Kudos
Reply
Darren Prior
Honored Contributor

‎10-17-2002 08:13 AM

‎10-17-2002 08:13 AM

Re: TRUST and passwd status

Hi Chin,

Your original question was, "how do I find expired id?" If the answers we're supplying aren't helping perhaps you could try rewording the question.

You may find that man4 prpwd helps with definitions of the values used, also the man pages for getprpw and modprpw (if you are running 11i.)

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.