HPE Community
Operating System - HP-UX
1757405 Members
3085 Online
108860 Solutions
New Discussion юеВ

Forcing password change

 
Mark Parsons
Valued Contributor

тАО04-16-2019 08:53 AM

тАО04-16-2019 08:53 AM

Forcing password change

Hi,

We have recently been told to increase the number of characters in our passwords to 14. This we can easily do by amending the MIN_PASSWORD_LENGTH value in /etc/default/security.

However this doesnt enforce the change until the user manually changes their password having logged in with the previous 8 character password..

Is there a setting that will enforce ALL users to change their password accordingly on their next login? I know this can be done for individual users via passwd -f "username" but is there a way of setting it for all?

Release is HPUX 11.31.

Many thanks.

 

0 Kudos
Reply
3 REPLIES 3
Bill Hassell
Honored Contributor

тАО04-16-2019 05:48 PM - edited тАО04-16-2019 05:52 PM

тАО04-16-2019 05:48 PM - edited тАО04-16-2019 05:52 PM

Re: Forcing password change

Yes there is a single command and option to expire every entry in /etc/passwd.

HOWEVER, this is *every* entry in the passwd file including subsystems like SAMBA shares, webadmin, www, sfmdb, tftp, oracle, sybase, etc. Now may of these entries may not actually login but serve as an owner for files, etc.  Automated logins for file transfers and other remote access will break. So if you force every entry in the passwd file to require a mandatory passwd change, a lot of unexpected things will happen.

So the command is: /usr/lbin/modprpw -E  <<<--- DON'T USE IT

Instead, use /usr/lbin/modprpw -e user-name

Then specify a specific user to expire. Then repeat with the other users on the system.

If you have a lot of users, you'll need to do a lot of typing or use a script.  

And if the auditors demand every password must change, be sure to schedule downtime to solve system issues.
This will be required because no one remembers the password for certain automated accounts.

Finally: the man page is very poor in documenting the effectiveness of the MIN_PASSWORD_LENGTH setting. It works for Trusted systems but there are other security services besides Trusted. Try the MIN_PASSWORD_LENGTH for a test user to see if it works.



Bill Hassell, sysadmin
0 Kudos
Reply
Mani_Np
HPE Pro

тАО04-16-2019 11:33 PM

тАО04-16-2019 11:33 PM

Re: Forcing password change

Hello,

Bill's suggestion looks apt for your environment.

Else you may try to convert system to trusted and change the required parameters.

Regards,
Manikandan
I work for HPE

Accept or Kudo

0 Kudos
Reply
Mark Parsons
Valued Contributor

тАО04-17-2019 05:09 AM

тАО04-17-2019 05:09 AM

Re: Forcing password change

Hi,

The server concerned is trusted anyway.

I have run the following on the server as root:

passwd -f user-id

and also

/usr/lbin/modprpw -e user-id

Neither of them seem to work - the user-id concerned does not get asked to change the password on the next login!

(The only thing I can think of is the passwd and/or modprpw isnt taking effect because the root account that is using them has been gained by sudo from the actual user-id concerned)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.