|
|
Sponsored Content
Operating Systems
Solaris
password expiration
Post 302157464 by abdulaziz on Friday 11th of January 2008 03:20:51 AM
01-11-2008
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi,
Anyone know the command which identifies how long a user has before their password expires?
I also need to know how I would write and expr to calculate the difference between 2 dates.
e.g. 28/03/05 - 18/03/05 = 10
I was told there is a date function which shows you no of days since... (1 Reply)
Discussion started by: sureshy
1 Replies
2. HP-UX
We are trying to implement an Password Aging system that will force UNIX Accounts to change their passwords every 3 mons or so. This will be done my our Server Support Provider.
We want to identify UNIX IDs that connects to our server via ftp,scp,sftp and other special connection protocols. IN... (2 Replies)
Discussion started by: tads98
2 Replies
3. AIX
Hi All,
I am using AIX
I need to get the Unix "password Expiration Days".
I know that "shadow" file contains this information. But shadow file can only be read by root.
Note that password expiration date will be set differently for diferrent user accounts. I need to get the inormation for... (0 Replies)
Discussion started by: raj_vkr
0 Replies
4. Linux
Hi All,
I have this user on my /etc/shadow:
mysql:$1$vmw4r078$4.lp6z2s0KJYHKXTuPG2x0:13556:0::12:::
The 5 column is blank. Does it mean the user has no password expiration.
Thanks in advance for any idea. (1 Reply)
Discussion started by: itik
1 Replies
5. Solaris
Hello,
I am using Solaris 10 with CDE and like to change the behaviour of the login process.
I have a user account that is configured for password aging.
Currently, when his password expires, CDE prompts him to change his password when login in.
What I'd like is that the user cannot... (5 Replies)
Discussion started by: gorfou
5 Replies
6. AIX
Hi guys,
A simple question. which mecanism send an email to an unix user for the expiration of his password?
Thank you! (4 Replies)
Discussion started by: Chapel
4 Replies
7. UNIX for Advanced & Expert Users
Hello,
I want to write a script to check for the password expiration date in each server for the user by logging to each server and notify user through mail. If password is about to expire or if already expired , it should also be notified to user by mail. Any help or idea to build this will be... (1 Reply)
Discussion started by: baraghun
1 Replies
8. AIX
Hi Admins,
AIX 5.3
I know maxage value tells the system about password expiration policy.
One of the user's maxage is 5 weeks.But he changed the password long backup at 2008 according to lastupdate value.
Since maxage is 5, the password should expire every 5 weeks.But how come... (4 Replies)
Discussion started by: newaix
4 Replies
9. Ubuntu
Hello Team,
I am using Lubuntu & have DRBL remote boot setup with open Ldap authentication. Currently there is no password expire policy. I want to set Password Policy so that user's password will expire after a month & they will get prompt to change their password.
Using PAM we can do it,... (1 Reply)
Discussion started by: paragnehete
1 Replies
10. Shell Programming and Scripting
Dear Concern,
I want to write a shell script in linux for mail notification of users whose password is about to expire within 7 days or already has expired. Is there any alternative way except to check the "date" command output and compare it with "chage -l username" command output. Please... (1 Reply)
Discussion started by: makauser
1 Replies
LEARN ABOUT SUNOS
passwd
passwd(1) passwd(1) NAME
passwd - change login password and password attributes SYNOPSIS
passwd [-r files | -r ldap | -r nis | -r nisplus] [name] passwd [ -r files] [-egh] [name] passwd [ -r files] -s [-a] passwd [ -r files] -s [name] passwd [ -r files] [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name passwd -r ldap [-egh] [name] passwd -r nis [-egh] [name] passwd -r nisplus [-egh] [-D domainname] [name] passwd -r nisplus -s [-a] passwd -r nisplus [-D domainname] -s [name] passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn] [-x max] [-D domainname] name The passwd command changes the password or lists password attributes associated with the user's login name. Additionally, privileged users can use passwd to install or change passwords and attributes associated with any login name. When used to change a password, passwd prompts everyone for their old password, if any. It then prompts for the new password twice. When the old password is entered, passwd checks to see if it has "aged" sufficiently. If "aging" is insufficient, passwd terminates; see pwconv(1M), nistbladm(1), and shadow(4) for additional information. When LDAP, NIS, or NIS+ is in effect on a system, passwd changes the NIS or NIS+ database. The NIS or NIS+ password can be different from the password on the local machine. If NIS or NIS+ is running, use passwd -r to change password information on the local machine. The pwconv command creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of 'x' in the pass- word field of /etc/passwd. This value of 'x' indicates that the password for the user is already in /etc/shadow and should not be modified. If aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new pass- word is repeated for, at most, two more times. Passwords must be constructed to meet the following requirements: o Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters. o Each password must meet the configured complexity constraints specified in /etc/default/passwd. o Each password must not be a member of the configured dictionary as specified in /etc/default/passwd. o For accounts in name services which support password history checking, if prior password history is defined, new passwords must not be contained in the prior password history. If all requirements are met, by default, the passwd command consults /etc/nsswitch.conf to determine in which repositories to perform pass- word update. It searches the passwd and passwd_compat entries. The sources (repositories) associated with these entries are updated. How- ever, the password update configurations supported are limited to the following cases. Failure to comply with the configurations prevents users from logging onto the system. The password update configurations are: o passwd: files o passwd: files ldap o passwd: files nis o passwd: files nisplus o passwd: compat (==> files nis) o passwd: compat (==> files ldap) passwd_compat: ldap o passwd: compat (==> files nisplus) passwd_compat: nisplus Network administrators, who own the NIS+ password table, can change any password attributes. In the files case, super-users (for instance, real and effective uid equal to 0, see id(1M) and su(1M)) can change any password. Hence, passwd does not prompt privileged users for the old password. Privileged users are not forced to comply with password aging and password construction requirements. A privileged user can create a null password by entering a carriage return in response to the prompt for a new password. (This differs from passwd -d because the "password" prompt is still displayed.) If NIS is in effect, superuser on the root master can change any password without being prompted for the old NIS passwd, and is not forced to comply with password construction requirements. Normally, passwd entered with no arguments changes the password of the current user. When a user logs in and then invokes su(1M) to become super-user or another user, passwd changes the original user's password, not the password of the super-user or the new user. Any user can use the -s option to show password attributes for his or her own login name, provided they are using the -r nisplus argument. Otherwise, the -s argument is restricted to the superuser. The format of the display is: name status mm/dd/yy min max warn or, if password aging information is not present, name status where name The login ID of the user. status The password status of name. The status field can take the following values: PS This account has a password. NL This account is a no login account. See Security. LK This account is locked account. See Security. NP This account has no password and is therefore open without authentication. mm/dd/yy The date password was last changed for name. All password aging dates are determined using Greenwich Mean Time (Universal Time) and therefore can differ by as much as a day in other time zones. min The minimum number of days required between password changes for name. MINWEEKS is found in /etc/default/passwd and is set to NULL. max The maximum number of days the password is valid for name. MAXWEEKS is found in /etc/default/passwd and is set to NULL. warn The number of days relative to max before the password expires and the name are warned. Security passwd uses pam(3PAM) for password change. It calls PAM with a service name passwd and uses service module type auth for authentication and password for password change. Locking an account (-l option) does not allow its use for password based login or delayed execution (such as at(1), batch(1), or cron(1M)). The -N option can be used to disallow password based login, while continuing to allow delayed execution. The following options are supported: -a Shows password attributes for all entries. Use only with the -s option. name must not be provided. For the nisplus reposi- tory, this shows only the entries in the NIS+ password table in the local domain that the invoker is authorized to "read". For the files repository, this is restricted to the superuser. -D domainname Consults the passwd.org_dir table in domainname. If this option is not specified, the default domainname returned by nis_local_directory(3NSL) are used. This domain name is the same as that returned by domainname(1M). -e Changes the login shell. For the files repository, this only works for the superuser. Normal users can change the ldap, nis, or nisplus repositories. The choice of shell is limited by the requirements of getusershell(3C). If the user currently has a shell that is not allowed by getusershell, only root can change it. -g Changes the gecos (finger) information. For the files repository, this only works for the superuser. Normal users can change the ldap, nis, or nisplus repositories. -h Changes the home directory. -r Specifies the repository to which an operation is applied. The supported repositories are files, ldap, nis, or nisplus. -s name Shows password attributes for the login name. For the nisplus repository, this works for everyone. However for the files repository, this only works for the superuser. It does not work at all for the nis repository which does not support pass- word aging. Privileged User Options Only a privileged user can use the following options: -d Deletes password for name and unlocks the account. The login name is not prompted for password. It is only applicable to the files repository. -f Forces the user to change password at the next login by expiring the password for name. -l Locks password entry for name. See the -d or -u option for unlocking the account. -N Makes the password entry for name a value that cannot be used for login, but does not lock the account. See the -d option for removing the value, or to set a password to allow logins. -n min Sets minimum field for name. The min field contains the minimum number of days between password changes for name. If min is greater than max, the user can not change the password. Always use this option with the -x option, unless max is set to -1 (aging turned off). In that case, min need not be set. -u Unlocks a locked password for entry name. See the -d option for removing the locked password, or to set a password to allow logins. -w warn Sets warn field for name. The warn field contains the number of days before the password expires and the user is warned. This option is not valid if password aging is disabled. -x max Sets maximum field for name. The max field contains the number of days that the password is valid for name. The aging for nameis turned off immediately if max is set to -1. The following operand is supported: name User login name. If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set in the environment, the operational behavior of passwd for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables is set in the environment, the "C" (U.S. style) locale determines how passwd behaves. LC_CTYPE Determines how passwd handles characters. When LC_CTYPE is set to a valid value, passwd can display and handle text and filenames containing valid characters for that locale. passwd can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. passwd can also handle EUC characters of 1, 2, or more column widths. In the "C" locale, only characters from ISO 8859-1 are valid. LC_MESSAGES Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English). The passwd command exits with one of the following values: 0 Success. 1 Permission denied. 2 Invalid combination of options. 3 Unexpected failure. Password file unchanged. 4 Unexpected failure. Password file(s) missing. 5 Password file(s) busy. Try again later. 6 Invalid argument to option. 7 Aging option is disabled. 8 No memory. 9 System error. 10 Account expired. /etc/default/passwd Default values can be set for the following flags in /etc/default/passwd. For example: MAXWEEKS=26 DICTIONDBDIR The directory where the generated dictionary databases reside. Defaults to /var/passwd. If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check. DICTIONLIST DICTIONLIST can contain list of comma separated dictionary files such as DICTIONLIST=file1, file2, file3. Each dictio- nary file contains multiple lines and each line consists of a word and a <NEWLINE> character (similar to /usr/share/lib/dict/words.) You must specify full pathnames. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word. If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check. To prebuild the dictionary database, see mkpwdict(1M). HISTORY Maximum number of prior password history to keep for a user. Setting the HISTORY value to zero(0), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the HISTORY flag. The maximum value is 26. Currently, this functionality is enforced only for user accounts defined in the "files" name service (local passwd(4)/shadow(4)). MAXREPEATS Maximum number of allowable consecutive repeating characters. If MAXREPEATS is not set or is zero(0), the default is no checks MAXWEEKS Maximum time period that password is valid. MINALPHA Minimum number of alpha character required. If MINALPHA is not set, the default is 2. MINDIFF Minimum differences required between an old and a new password. If MINDIFF is not set, the default is 3. MINDIGIT Minimum number of digits required. If MINDIGIT is not set or is set to zero(0), the default is no checks. You cannot be specify MINDIGIT if MINNONALPHA is also specified. MINLOWER Minimum number of lower case letters required. If not set or zero(0), the default is no checks. MINNONALPHA Minimum number of non-alpha (including numeric and special) required. If MINNONALPHA is not set, the default is 1. You cannot specify MINNONALPHA if MINDIGIT or MINSPECIAL is also specified. MINWEEKS Minimum time period before the password can be changed. MINSPECIAL Minimum number of special (non-alpha and non-digit) characters required. If MINSPECIAL is not set or is zero(0), the default is no checks. You cannot specify MINSPECIAL if you also specify MINNONALPHA. MINUPPER Minimum number of upper case letters required. If MINUPPER is not set or is zero(0), the default is no checks. NAMECHECK Enable/disable checking or the login name. The default is to do login name checking. A case insensitive value of "no" disables this feature. PASSLENGTH Minimum length of password, in characters. WARNWEEKS Time period until warning of date of password's ensuing expiration. WHITESPACE Determine if whitespace characters are allowed in passwords. Valid values are YES and NO. If WHITESPACE is not set or is set to YES, whitespace characters are allowed. /etc/oshadow Temporary file used by passwd, passmgmt and pwconv to update the real shadow file. /etc/passwd Password file. /etc/shadow Shadow password file. /etc/shells Shell database. See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ |CSI |Enabled | +-----------------------------+-----------------------------+ |Interface Stability |See below. | +-----------------------------+-----------------------------+ The human readable output is Unstable. The options are Evolving. at(1), batch(1), finger(1), login(1), nistbladm(1), orcron(1M), domainname(1M), eeprom(1M), id(1M), mkpwdict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), getusershell(3C), nis_local_directory(3NSL), pam(3PAM), loginlog(4), nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), shadow(4), shells(4), attributes(5), environ(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5) The pam_unix(5) module is no longer supported. Similar functionality is provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_ses- sion(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and pam_passwd_auth(5). The nispasswd and ypasswd commands are wrappers around passwd. Use of nispasswd and ypasswd is discouraged. Use passwd -r repository_name instead. NIS+ might not be supported in future releases of the Solaris Operating Environment. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment. For more information, visit http://www.sun.com/directory/nisplus/transition.html. Changing a password in the files repository clears the failed login count. 8 Mar 2005 passwd(1)