password on hpux 11i (576 Views)
Reply
Super Advisor
Shivkumar
Posts: 1,207
Registered: ‎05-22-2005
Message 1 of 9 (576 Views)
Accepted Solution

password on hpux 11i

Is there any command to find out when the password would be expired on hpux 11i ?

Thanks,
Shiv
Honored Contributor
Joseph Loo
Posts: 1,981
Registered: ‎10-23-2000
Message 2 of 9 (576 Views)

Re: password on hpux 11i

hi,

trusted or non-trusted system?


regards.
what you do not see does not mean you should not believe
Respected Contributor
saju_2
Posts: 194
Registered: ‎06-23-2005
Message 3 of 9 (576 Views)

Re: password on hpux 11i

Hi shiv

In a trusted system password expiry can be found out from sam

sam...auditing and security...system security policy...password aging policy...password expiration time

Regards
CS
Trusted Contributor
morganelan
Posts: 283
Registered: ‎02-21-2003
Message 4 of 9 (576 Views)

Re: password on hpux 11i

Hi,
Did you create user with Password Option : Enable Password Aging?If so you can see it through sam->account for users and groups --> users :
To set up password aging policies using SAM:

1.Highlight System Securities Policies.
2.Highlight Password Aging Policies. The Password Aging Policies screen is displayed.
3.Set Password Aging to Enabled. The Enable Password Aging screen is displayed.
4.Select appropriate options by using the arrow keys to highlight them and typing appropriate options.
5.Set the Time Between Password Changes (in days). This sets the minimum time a user must have a password to prevent users from changing their passwords and then changing it back again to the old one.
6.Specify the Password Expiration Time (in days). The expiration time of a password specifies a time after which a user must change the password.
7.Indicate the Password Warning Time (in days). This is when to start sending warning messages to the user that they will need to change their password soon.
8.Specify the Password Lifetime (in days). The lifetime specifies the time at which the account associated with that password is locked. Once locked, the password must be changed before the person can log in.
9.Select OK to accept these values.
Kamal Mirdad
Honored Contributor
Mel Burslan
Posts: 3,214
Registered: ‎08-26-1998
Message 5 of 9 (576 Views)

Re: password on hpux 11i

for trusted systems:

USER=someusername
exp=$(logins -x -l $USER | tail -1 | awk '{print $4}')
((exp_time = exp * 86400))
last_change=$(grep u_succhg /tcb/files/auth/$U/$USER | \
awk -F "u_succhg#" ' {print $2}' |\
awk -F ":" ' {print $1}' )

((exp_date = last_change + exp_time))
((time_left = exp_date - current_time))
((days_left = time_left / 86400))


there is a way to do this on non-trusted systems but I can not find the script to do it. But basically last 3 characters of encrypted password is ,XX where XX is two ascii characters and their ascii value with some calculation that I can not remember, equals to the last password change. Then you have to make a date calculation with Clay's caljd.sh script. It is late in the evening and my brain quit working.

Hope this much helps.
________________________________
UNIX because I majored in cryptology...
Honored Contributor
Joseph Loo
Posts: 1,981
Registered: ‎10-23-2000
Message 6 of 9 (576 Views)

Re: password on hpux 11i

for trusted, refer to this:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000080092170

regards.
what you do not see does not mean you should not believe
Honored Contributor
Joseph Loo
Posts: 1,981
Registered: ‎10-23-2000
Message 7 of 9 (576 Views)

Re: password on hpux 11i

for non-trusted, refer to this:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000067130219

regards.
what you do not see does not mean you should not believe
Honored Contributor
Mahesh Kumar Malik
Posts: 864
Registered: ‎11-29-1998
Message 8 of 9 (576 Views)

Re: password on hpux 11i

Hi Shiv

Documents provided by Joseph give reasonably good explaination on password expiry for trusted and non-trusted systems.

On trusted systems, you can setup password aging through SAM

Regards
Mahesh
Esteemed Contributor
Cem Tugrul
Posts: 964
Registered: ‎12-21-2003
Message 9 of 9 (576 Views)

Re: password on hpux 11i

Shiv,
it depends on trusted or non_trusted as Joseph's description and links...

on the other hand,Few months ago i have asked
Q about password consept as the link below
and got very important information;

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=854273

Now,My passwd policies is working properly
Also i do not remember the author of the script which i got below gives very useful
information about my users passwd policy;

#!/usr/bin/sh
# Show users in a trusted system whose passwords are about to expire
# Reset the u_succhg (spwchg) last successful password change time

set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin

integer exp_time
integer exp_date
integer current_time
integer last_change
integer time_left
integer days_left
integer seconds_per_day=86400
integer system_wide_aging
integer user_aging

NOTTRUSTED=/sbin/true
if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

system_wide_aging=$(/usr/lbin/getprdef -r -m exptm)
if [ $system_wide_aging -eq 0 ]
then
print "System wide password aging is disabled.\n"
else
print "System wide password aging is enabled.\n"
fi

for USER in $(listusers | awk '{print $1}')
do
user_aging=$(/usr/lbin/getprpw -r -m exptm $USER)
if [ $user_aging -eq "0" ]
then
print "\nUser $USER does not have password aging enabled."
continue
fi

if [ $system_wide_aging -eq 0 ]
then
if [ $user_aging -eq "-1" ]
then
print "\nUser $USER does not have password aging enabled."
continue
fi
fi

U=$(echo $USER|cut -c 1)

exp=$(logins -x -l $USER | tail -1 | awk '{print $4}')
((exp_time = exp * 86400))
current_time=$(/opt/perl/bin/perl -e "print time")

passwd_changed=$(grep u_succhg /tcb/files/auth/$U/$USER)
if [ $? = 1 ]
then
print "\nUser $USER does not have valid last successful password"
print "change date. This can happen if tsconvert is used on"
print "the command line to convert the system, instead of SAM."
continue
fi

last_change=$(grep u_succhg /tcb/files/auth/$U/$USER | \
awk -F "u_succhg#" ' {print $2}' |\
awk -F ":" ' {print $1}' )

((exp_date = last_change + exp_time))
((time_left = exp_date - current_time))
((days_left = time_left / seconds_per_day))

last_change_date=$(getprpw -r -m spwchg $USER)
expire_date=$(echo 0d${exp_date}=Y | adb | cut -c 3-13)

if [ $days_left -gt 1 ]
then
print "\nUser $USER has $days_left days left until password expires"
print "User $USER last changed the password on: $last_change_date."
print "User $USER - password will expire on: $expire_date."
else
print "\nUser $USER: password will expire within one day."
# modprpw -l -v $USER
fi
done

exit 0

Good Luck,
Our greatest duty in this life is to help others. And please, if you can't
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.