Re: Problem changing password

wvsa · ‎07-30-2010

Good afternoon all;

We are running 11iv3 using a shadow file and the /etc/default/secruity file. In the security file we have the following requirements for a password:

# Optional restrictions for new passwords
# PASSWORD_MIN_UPPER_CASE_CHARS=0
# PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1
# PASSWORD_MIN_SPECIAL_CHARS=2

This morning upon logging into one of our servers I was asked to change my password. Choose the following password seek@him1

The seek@him1 password produced the following message:

New password:
The password entered is not valid. Valid passwords must contain at least:
0 upper case character(s),
0 lower case character(s),
1 digit(s), and
1 special character(s).

Too many failures - try later.

In a nutshell, it never accepted the seek@him1 password, why would that be ?

thankyou for your input

Norm

Steven Schweda · ‎07-30-2010

stty -a

Is "@" a special character?

A Forum search for keywords like, say,

passwd stty

should find many old discussions of this
problem.

James R. Ferguson · ‎07-30-2010

Hi Norm:

The "@" character is treated as kill (or erase the line) control. Don't use it with login passwords. See the manpages for 'getty(1M)' and 'passwd(1)' for more information.

Regards!

...JRF...

Steven Schweda · ‎07-30-2010

> The "@" character is treated as kill (or
> erase the line) control. [...]

Not everywhere. Some of us arrange for less
user-hostile behavior (and better
compatibility with every sane UNIX(-like)
system on the planet).

dyi # uname -a
HP-UX dyi B.11.31 U ia64 4235313755 unlimited-user license

dyi # stty -a
speed 9600 baud; line = 0;
rows = 0; columns = 0
min = 1; time = 0;
intr = ^C; quit = ^\; erase = DEL; kill = ^U
eof = ^D; eol = ^@; eol2 ; swtch
stop = ^S; start = ^Q; susp = ^Z; dsusp = ^Y
werase ; lnext
[...]

Bill Hassell · ‎07-30-2010

There are 2 special characters in HP-UX that cannot be used before you login. The # and @ are predefined prior to login as backspace and line cancel. While there is an obscure way to change these values, never use @ or # in a password for HP-UX and you won't have problems.

Special characters are always a problem on any system. Trying to figure out which ones will be a problem is not easy. After you login, your local profile will set # to a backspace and @ to the cancel character CTRL-u.

Bill Hassell, sysadmin

Dennis Handly · ‎07-30-2010

>Bill: After you login, your local profile will set # to a backspace and @ to the cancel character CTRL-u.

A better way to say this is:
set erase to a backspace and line kill to CTRL-U.

sachit patil · ‎08-01-2010

Please Use Seek@him1.

Steven Schweda · ‎08-01-2010

> Please Use Seek@him1.

Please explain why.

wvsa · ‎08-02-2010

All;

Thank you for your responses. Sorry to say still a bit confused. Seems like I'm seeing two different opinions/options. One group saying using Seek@him1 will work. Yet as was stated the man page for passwd indicates the # and @ values are not to be used, so it seems that the seek@him1 password is not a good choice.

The other problem is what other charactors other than # and @ should we avoid. Seems like the best option is skip the special character option. Our auditors would prefer we allow special charactors. So rambling a bit what special charactors can we use in a password and how to communicate these values to the users?

Any and all input welcomed!!

Thank you

Norm

Bill Hassell · ‎08-02-2010

> seek@him1

This will never work on a standard HP-UX system as a username or a password. My comments above concerning the driver defaults apply to all versions of HP-UX going back some 20 years. For versions of HP-UX after 10.20, you can use /dev/ttyconf as a method to set new defaults for the driver. The details are explained here:

http://docs.hp.com/en/5992-6579/ch02s03.html

This will allow you to use @ and # in passwords on this particular machine. If you have just one HP-UX box in your company then this is a good solution. Otherwise, you'll need to modify /etc/inittab on all the HP-UX boxes plus remember to modify any new boxes that are put into service.

HOWEVER: most companies have more than one computer, boxes like PCs, Macs, Oracle-Solaris, AIX, Linux, and so on. Now if your auditors require different passwords on each machine, then once you find out all the limitations for special characters for each of these machines, you can create different passwords that will work on each machine.

If this sounds very complicated, you are correct. Some auditors simply do not know the impact of a requirement such as mandatory special characters. System administrators will go crazy with all the phone calls about passwords that don't work. If the auditor's rules only apply to HP-UX, then use the above example and fix all your systems.

Or be prepared to collect a list of all the forbidden characters from all the machines and then teach classes to all your users about which characters cause problems on the different machines.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Problem changing password

Problem changing password