[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: password aging with solaris

To: donna@rosevax.rosemount.com
Subject: Re: password aging with solaris
From: Michael Schwarz <schwarz@learjet.com>
Date: Thu, 27 Aug 1998 17:39:46 -0500 (CDT)
Cc: sage-members@usenix.org
In-Reply-To: <199808271457.JAA12655@endeavor.ep.frco.com> from "Donna L. Butler" at Aug "27," 1998 "09:57:05" am
Organization: Learjet
Reply-To: schwarz@learjet.com
Sender: owner-sage-members@usenix.org

> We have the need to implement password aging within our Solaris
> environment using NIS (not NIS+). We understand we can do this
> with local /etc/shadow files, but this is impractical and we 
> want to do this with NIS. Sun states "officially" this can't be
> done using normal aging within straight NIS.
> 

We are using password aging with NIS on HP-UX(9 and 10) and AIX(4.1).
I just verified it also works on SGIs IRIX 6.2 with NIS but don't know
about Solaris. 

It is implemented by putting a , after the password field and then
characters representing the expiriation time, minimum time before
change and time of last change.

We start out with a ,O.  which expires after 6 months and is currently
expired (forces a change at next login).  My current test entry looks like:

  test:abcdefghijklj,O.LL:200:200:test:/h/test:/bin/ksh

Excerpt from the manual:

      The characters used to represent "digits" are . for 0, / for 1, 0
      through 9 for 2 through 11, A through Z for 12 through 37, and a
      through z for 38 through 63.

      Password aging is put in effect for a particular user if his encrypted
      password in the password file is followed by a comma and a nonnull
      string of characters from the above alphabet.  (Such a string must be
      introduced in the first instance by a superuser.) This string defines
      the "age" needed to implement password aging.

      The first character of the age, M, denotes the maximum number of weeks
      for which a password is valid.  A user who attempts to login after his
      password has expired is forced to supply a new one.  The next
      character, m, denotes the minimum period in weeks that must expire
      before the password can be changed.  The remaining characters define
      the week (counted from the beginning of 1970) when the password was
      last changed (a null string is equivalent to zero).  M and m have
      numerical values in the range 0 through 63 that correspond to the 64-
      character set of "digits" shown above.  If m = M = 0 (derived from the
      string . or ..), the user is forced to change his password next time
      he logs in (and the "age" disappears from his entry in the password
      file).  If m > M (signified, for example, by the string ./), then only
      a superuser (not the user) can change the password. Not allowing the
      user to ever change the password is discouraged, especially on a
      trusted system.

-- 
Mike Schwarz                  E-Mail: schwarz@learjet.com
UNIX Systems Administrator    Phone:  (316) 946-2168
Learjet Inc                   Fax:    (316) 946-2809

Follow-Ups:
- Re: password aging with solaris
  - From: Jim Dodd <jd@jimd.csd.sgi.com>

References:
- password aging with solaris
  - From: donna@rosevax.rosemount.com (Donna L. Butler)

Prev by Date: password aging with solaris
Next by Date: Re: password aging with solaris
Prev by thread: password aging with solaris
Next by thread: Re: password aging with solaris
Index(es):
- Date
- Thread