Solaris

I couldnt find this in any other post - so hoping someone can help out.

I want to set password expiry (or rather I have to) for a number of users on my solaris 9 system. I know i can set the following options in the /etc/default/passwd file to do it and then just type a passwd -f <username> to force the user to change password next login and therefore get the new settings...
MAXWEEKS=8
PASSLENGTH=8
WARNWEEKS=1
HISTORY=5


But... I want to exclude some users from password expiry - such as the root user and a few other user accounts...
Some of these accounts are vital for access and also have some vital cron jobs running so I would never want someone to go on holiday for weeks and the account to expire and cause a service issue etc...

Can I do this and if so how?

use `passwd -x -1 username` for root and any other accounts that do not need password expiration.

from `man passwd`

Code:

 -x max        Sets maximum field for name. The  max  field
                  contains  the  number of days that the pass-
                  word is valid for name. The aging for nameis
                  turned off immediately if max is set to -1.

This works but is only temporary it seems...
ie. for root user

# cat /etc/shadow | grep root
root:39puDXN0kwb.A:14024::56:7:::

# passwd -x -1 root
passwd: password information changed for root

# cat /etc/shadow | grep root
root:39puDXN0kwb.A:14024::::::


If I then log in as root and decide its time to update the password and change it as below - then expiry settings are re-enabled... if the person who changes root password isnt aware of this - then the account will expire at some stage...

-bash-3.00# passwd
passwd: Changing password for root
New Password:
Re-enter new Password:
passwd: password successfully changed for root
-bash-3.00# cat /etc/shadow | grep root
root:rJHLs0/lIsnEE:14025::56:7:::


Is there anyway to avoid this happening?

No, of course not- that's the whole idea of /etc/default/passwd, it sets the default rules for everyone's passwords. You cannot have it both ways. I gave you the method with the least work- you will still have to override the passwd settings of each user that is to not have an expiring password.

Thanks.. hope I didnt seem ungrateful for your advice..

As its the root user - what do you normally do?
If the expiry is set on the root account and someone changes the password without knowing they have just activated the expiry settings also..

My problem is that the root account is not used v.often - only in the event a system reboot is required etc - a few times a year at most... So its very possible that someone will change the password (security reasons only) and not log in again as root user for 4-5 months.. by this time the account could have expired..

Will the root account be locked or will the user still be allowed/prompted to change password?


ie. my default passwd file contains the following:
MAXWEEKS=8
PASSLENGTH=8
WARNWEEKS=1
HISTORY=5


If someone change password - in 56 days the password will expire with 7 days warning. If no-one has logged in as root in those 7 days - what happens? is the account then expired and cannot be used at all?

Well I don't use password expiration, I use RSA tokens.

Create a job in root's crontab to run the override for root's account once a month. That should be enough to keep root's account unlocked forever.

Or you could use a script like I did and run it from cron.
This is the script that I wrote.
https://www.unix.com/302100435-post4.html