basically there are several different versions of hpux, this script is for particular version that is non-trusted but also does not use any shadow files.This one is a little harder to do.
Usually the time stamp of the last password change is stored as an epoch number in the shadow file, for non-shadow untrusted servers the
only clue is the date in the third field from "passwd -s" command
#passwd -s sparcguy
sparcguy PS 06/02/11 0 91
06/02/11 this date I believe is stored in encrypted password in the format as month/day/year
I'm using a perl function str2time() which can convert dates to epoch numbers but takes the format of year(xxxx)/month(xx)/day(xx)
it will not work without this perl str2time module, so you need to check under "HTTP : Date" if you the module installed and if not you have to download it.
So to get this to work we first need to do a little formatting of the date.
As usual the description field of your userid must contain an email in the form of +email@domain.com
Interesting script.
Beware that the "last changed" date is always a Thursday regardless of when the user actually changed their password. Thus if I changed my password today Fri 15/07/11 the "last changed" date is Thu 14/07/11. Thus it is better to have expiry as a mutiple of 7 days e.g. 63 rather than 60 because on the second and subsequent change the expiry date becomes predictable.
Any accounts with non-expiring passwords have zeros in the "last changed" date.
For non-expiring passwords in our environment that's usually it's an application userid. For such id's we do not have any password aging policies against them and we also do not insert an an email address in the description field ie +<email>@domain.
How the script knows to differentiate between a real user and an application is by the email address. You must put email addresses for real users. The script first greps any line in /etc/passwd that has an "\@" symbol and gets a list of the real user, this filters out any application userids, from there the script checks and calculates each id in the "grepped" list.
The convention for holding multiple fields in the comment field is to separate them with comma characters.
If you start with the output from " logins -xto " all your required fields for a user are available in one colon-delimited line thereby removing the need to search the passwd file umpteen times.
Recently I have been playing with password ageing and the usage of ssh keys. I have found that if usePAM yes (default) is set in the /etc/ssh/sshd_config file then any password ageing and inactiivity can adversely affect a client with ssh keys.
For example:
Set PASS_MAX_DAYS to 60 in... (5 Replies)
Hi Folks,
I have Solaris 10, latest release.
We have passwd aging set in /etc/defalut/passwd.
I have an account that passwd should never expire. Acheived by emptying associated users shadow file entries for passwd aging.
When I reset the users passwd using passwd command, it re enables... (3 Replies)
All,
I enabled PAM and aged a password, but when I login it asks me for the current password then says password unchanged after entering the current password. Is this a bug? My security dept is going to want me to enable password aging and I'm stuck!
Any help on what the issu is?
... (6 Replies)
I have used the system administration management trusted security system and in the process the root password have been changed or lost.
Is there any possible way to recover root status after this incident:( (5 Replies)
hi experts
this is regarding password aging
i tried searching forum but i cudnt locate
given a login id,
i would like to determine whether password ageing has been enabled for that
and
for the login id whether password has been expired on a particular point of time
Thanks (4 Replies)
If the command passwd -f is used, Users get the below error. I need to force users to change there passwords at initial login. Anyone know what is going on? This is on a Non-Stop UX system
UX:in.login: ERROR: Your password has been expired for too long
UX:in.login: TO FIX: Consult your system... (0 Replies)
Does anyone know how to remove a stanza in the shadow password file if the user account has already been removed on an AIX box? I know it can be done by editing the file itself but I would prefer not to do it that way.
cheers
gizaa (2 Replies)
Vesion 3.8.1 of OpenSSH has been compiled on a Solaris 8 host. I am having difficulties in enabling password aging to work from reading /etc/default/passwd and /etc/shadow.
# passwd -f < user-id > works satisfactorily however once a password ages through due course from the settings in... (1 Reply)