November 20th, 2003, 12:29 PM
Solaris Root Password Protection.
Can you set the ROOT password on a solaris system to expire after X amount of days. Also, what action does it take on expiration? Does it force the user to change the password on logon or does it lock the account?
If you can.. How?
November 20th, 2003, 01:55 PM
It depends on which version of Solaris, but most should have /etc/default/passwd, here is a Solaris 9 version:
Minweeks = minimum number of weeks that must pass before password can be changed
#ident "@(#)passwd.dfl 1.3 92/07/14 SMI"
Maxweeks = maximum number of weeks that must pass before password must be changed
Warnweeks= number of weeks warning the user should receive to change password
Passlength = minimum number of characters in password
My understanding is that it applies to all users. That minweeks must pass before the password can change, and that maxweeks will force a password change. The user will get warnings about changing their password, but if they miss it, they will be prompted with a dialog asking for their old password and then a new one if they log in after maxweeks. Note that this works with telnet, but I have seen it lock people out of ssh...telnet being what it is, safest place to change is on the console or to have some automated process such that you don't need the settings...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
November 20th, 2003, 02:25 PM
These programs will do that, npasswd and passwd+ but neither will do password
aging on SunOS 4.1.x and NIS. Read up on this http://www.nas.nasa.gov/Groups/Secur...d/article.html .
http://docs.sun.com/db/doc/805-8120-10/6j7kqn66n?a=view and this. www.bigadmin.com is a great solaris site for security and other solaris misc material.
November 21st, 2003, 04:02 AM
See the man pages for 'passwd' 'shadow' 'useradd' 'userdel' 'usermod' and 'vipw' (if installed,
typically in /usr/ucb) on your system.
A shadow entry for a user will look like....
Field 1) Username
Field 2) Password in encrypted form
Field 3) Password last changed, represented as number of days since January 1 1970
Field 4) Minimum change days, i.e. how long the user must keep the password before changing it.
Field 5) Maximum change days, i.e. how long the user can keep the password before they _must_
Field 6) Number of warning days, i.e. when to start bugging the user that their password is going
Field 7) Number of inactive days, i.e. number of days after the password expires before the account
status is set to inactive.
Field 8) Date the account will expire
Field 9) Not used, reserved for a future purpose.
The root account does become Locked (which you can check with 'passwd -s username'),
however expired accounts can still be su'd to.
Post if you need more help.
Note: BSD and many Linux systems include the 'chage' command, which allows the Admin to
modify password aging only for an account.
Get OpenSolaris http://www.opensolaris.org/