Can you set the ROOT password on a solaris system to expire after X amount of days. Also, what action does it take on expiration? Does it force the user to change the password on logon or does it lock the account?
If you can.. How?
Printable View
Can you set the ROOT password on a solaris system to expire after X amount of days. Also, what action does it take on expiration? Does it force the user to change the password on logon or does it lock the account?
If you can.. How?
It depends on which version of Solaris, but most should have /etc/default/passwd, here is a Solaris 9 version:
Minweeks = minimum number of weeks that must pass before password can be changedQuote:
#ident "@(#)passwd.dfl 1.3 92/07/14 SMI"
MINWEEKS=1
MAXWEEKS=24
WARNWEEKS=1
PASSLENGTH=8
Maxweeks = maximum number of weeks that must pass before password must be changed
Warnweeks= number of weeks warning the user should receive to change password
Passlength = minimum number of characters in password
My understanding is that it applies to all users. That minweeks must pass before the password can change, and that maxweeks will force a password change. The user will get warnings about changing their password, but if they miss it, they will be prompted with a dialog asking for their old password and then a new one if they log in after maxweeks. Note that this works with telnet, but I have seen it lock people out of ssh...telnet being what it is, safest place to change is on the console or to have some automated process such that you don't need the settings...
/nebulus
These programs will do that, npasswd and passwd+ but neither will do password
aging on SunOS 4.1.x and NIS. Read up on this http://www.nas.nasa.gov/Groups/Secur...d/article.html .
http://docs.sun.com/db/doc/805-8120-10/6j7kqn66n?a=view and this. www.bigadmin.com is a great solaris site for security and other solaris misc material.
See the man pages for 'passwd' 'shadow' 'useradd' 'userdel' 'usermod' and 'vipw' (if installed,
typically in /usr/ucb) on your system.
A shadow entry for a user will look like....
spurious:<Encrypted String>:12351:1:120:21:7:14974:
Field 1) Username
Field 2) Password in encrypted form
Field 3) Password last changed, represented as number of days since January 1 1970
Field 4) Minimum change days, i.e. how long the user must keep the password before changing it.
Field 5) Maximum change days, i.e. how long the user can keep the password before they _must_
change it.
Field 6) Number of warning days, i.e. when to start bugging the user that their password is going
to expire.
Field 7) Number of inactive days, i.e. number of days after the password expires before the account
status is set to inactive.
Field 8) Date the account will expire
Field 9) Not used, reserved for a future purpose.
The root account does become Locked (which you can check with 'passwd -s username'),
however expired accounts can still be su'd to.
Post if you need more help.
-- spurious
Note: BSD and many Linux systems include the 'chage' command, which allows the Admin to
modify password aging only for an account.