Operating System - HP-UX
1833982 Members
1692 Online
110063 Solutions
New Discussion

Re: Trusted System Restrictions and ftp

 
Rpger Tavener
Occasional Advisor

Trusted System Restrictions and ftp

We have a 10.20 server running Trusted System with a security policy that disables an account after 128 days of inactivity. We also have a monthly ftp job on another server that logins (via ftp) to this server. My question is Why would the account be diabled due to inactivity when we have a monthly job that comes in via ftp?

Thanks
When the only tool you own is a hammer, every problem looks like a nail!
3 REPLIES 3
Ian Dennison_1
Honored Contributor

Re: Trusted System Restrictions and ftp

Because 'ftp' is not the same as a 'sh' login session - different checks, different service managing the result.

How do you check the Userids? Can you not ecxlude those Userids with 'false' as a shell before checking the last login value?

Cheers, Ian Dennison
Building a dumber user
Stefan Farrelly
Honored Contributor

Re: Trusted System Restrictions and ftp

an ftp connection or session is not considered a login by the system and thus wont be covered by the inactivity rule. Best you can do is have ftp logging on (so that every file ftp'd to/from your server is logged into syslog) and check the syslog every 128 days or so and if your ftp account hasnt done any ftp'd then deactivate the account using modprpw.
Im from Palmerston North, New Zealand, but somehow ended up in London...
Ryan Green
Valued Contributor

Re: Trusted System Restrictions and ftp

As stated, ftp doesn't count toward the period of inactivity. But you can exclude the ftp account from expiring. There are two settings that must be changed to prevent the account from being locked out.

Using SAM, select the "account for users" option, then "Users". Pick the ftp account and under "Actions" select the "Modify Security Policy". Then pick the "Password Aging Policies" and set it to "Disabled.". Then under the "General User Account Policies" make sure that "Maximum period of inactivity" is set to "Disabled." Save the changes. This will prevent the account from being locked due to password expiring or the maximum period of no-use being exceeded.