Re: password aging with solaris

[Jim Dodd <jd@jimd.csd.sgi.com>]

Password aging does not work with NIS. If it works on HP's they had to modify
it. I am pretty sure, though not positive, that it does not work with Solaris.
The information that it works with SGI's IRIX 6.2 is incorrect. Password aging
does not work on any IRIX OS includeing the new 6.5.

Michael Schwarz wrote:

> > We have the need to implement password aging within our Solaris
> > environment using NIS (not NIS+). We understand we can do this
> > with local /etc/shadow files, but this is impractical and we
> > want to do this with NIS. Sun states "officially" this can't be
> > done using normal aging within straight NIS.
> >
>
> We are using password aging with NIS on HP-UX(9 and 10) and AIX(4.1).
> I just verified it also works on SGIs IRIX 6.2 with NIS but don't know
> about Solaris.
>
> It is implemented by putting a , after the password field and then
> characters representing the expiriation time, minimum time before
> change and time of last change.
>
> We start out with a ,O.  which expires after 6 months and is currently
> expired (forces a change at next login).  My current test entry looks like:
>
>   test:abcdefghijklj,O.LL:200:200:test:/h/test:/bin/ksh
>
> Excerpt from the manual:
>
>       The characters used to represent "digits" are . for 0, / for 1, 0
>       through 9 for 2 through 11, A through Z for 12 through 37, and a
>       through z for 38 through 63.
>
>       Password aging is put in effect for a particular user if his encrypted
>       password in the password file is followed by a comma and a nonnull
>       string of characters from the above alphabet.  (Such a string must be
>       introduced in the first instance by a superuser.) This string defines
>       the "age" needed to implement password aging.
>
>       The first character of the age, M, denotes the maximum number of weeks
>       for which a password is valid.  A user who attempts to login after his
>       password has expired is forced to supply a new one.  The next
>       character, m, denotes the minimum period in weeks that must expire
>       before the password can be changed.  The remaining characters define
>       the week (counted from the beginning of 1970) when the password was
>       last changed (a null string is equivalent to zero).  M and m have
>       numerical values in the range 0 through 63 that correspond to the 64-
>       character set of "digits" shown above.  If m = M = 0 (derived from the
>       string . or ..), the user is forced to change his password next time
>       he logs in (and the "age" disappears from his entry in the password
>       file).  If m > M (signified, for example, by the string ./), then only
>       a superuser (not the user) can change the password. Not allowing the
>       user to ever change the password is discouraged, especially on a
>       trusted system.
>
> --
> Mike Schwarz                  E-Mail: schwarz@learjet.com
> UNIX Systems Administrator    Phone:  (316) 946-2168
> Learjet Inc                   Fax:    (316) 946-2809



--
+--------------------------+---------------------------+
|   James (Jim) A. Dodd    |     jd@csd.sgi.com        |
+--------------------------+-----+---------------------+
| Oh! But for the good old days when I only had to     |
| worry about earthquakes & the bully down the street  |
| Now I have to worry about how & what in DC, and      |
| billionare Saudi bullies who think the USA is EVIL!  |
+------------------------------------------------------+