randy@aplcomm.jhuapl.edu (RANDALL SCHRICKEL (NCE) x7661) (06/09/90)
As in, how do I make it work? I want my users to change their passwords (at
least) once a year (that's not often, but it's all that's required on our
trusted system). So, effective whenever I make the changes, I want the users
to be forced to change them, then be able to change them again whenever they
want, but at least yearly. Seems like "weeks valid" should be 52 ('O'), and
"min. weeks before changing should be 0 ('.'), and I have no idea what the
last part should be ("date last changed in weeks since 1970").
I tried this:
name:passwd,0. etc. in the passwd file,
but all that did was make me change my passwd in an infinite loop...
Thanx for any suggestions.
(Model 9000/835 hp-ux 7.0, the man pages aren't much help.)
--
-------------------------------------------------------------------------------
Randy Schrickel
Johns Hopkins Applied Physics Lab
Laurel, MD 20723bae@hp-lsd.COS.HP.COM (Bruce Erickson) (06/11/90)
>As in, how do I make it work? I want my users to change their passwords (at >least) once a year (that's not often, but it's all that's required on our >trusted system). So, effective whenever I make the changes, I want the users >to be forced to change them, then be able to change them again whenever they >want, but at least yearly. Seems like "weeks valid" should be 52 ('O'), and >"min. weeks before changing should be 0 ('.'), and I have no idea what the >last part should be ("date last changed in weeks since 1970"). The passwd(4) man page gives the UNIX secret away: the digits are . == 0 / == 1 [0-9] == 2-11 [A-Z] == 12-37 [a-z] == 38-63 The first character is max weeks for which a password is valid, and the remaining characters define the week (beginning 1970) when the password was last changed. So, you would want the first character to be o (lower-case O) (for 52) and the next characters are difficult to calculate (at least for me). So, what I do is to set up a fake password of the form name:passwd,o/:<rest of the gobbeldy-gook> which forces a change the next time you log in; then I log in, change the password, then look at /etc/passwd to see what ought to follow... For example, I created (at the *END* of /etc/passwd) jjj:,o/:204:21:testing:/users/bae:/bin/ksh I logged in, was required to change the passwd, did so, then looked at /etc/passwd. On 6/11/90 it had changed the last line to: jjj:aPEaOzDVHEDr2,o/eE:204:21:testing:/users/bae:/bin/ksh So, 6/11/90 encodes to /eE Try figuring *that* out! :-) Bruce "Not an official spokesman, just trying to be helpful!" Erickson bae@hp-lsd PS: Use caution when editing /etc/passwd If you mess up an entry, the next time login(1) runs, it may decide to truncate the file, deleting any line after the bad line -- I don't know why, and I don't know if it happens on any version after HP-UX 1.2 -- I'm too scared to try! Also, do *not* use rcs to control versioning the /etc/passwd file. The reason is that if you try: ci -l /etc/passwd when the 'ci' command tries to check out (locked) the file, it delets /etc/passed, then looks for the name of the person checking it out (to put the info in the passwd,v file) -- oops! /etc/passwd doesn't exist, so ci bombs, and you no longer have a passwd file. You cannot become super user via 'su', etc. -- in fact, unless you have a terminal logged in as super user, you are hosed (do *you* keep a recovery system?) If you want to keep versioning of /etc/passwd, keep the control file as /etc/passwdctl, and make sure /etc/passwd is identical to the currently checked-out version of /etc/passedctl.... Painful experiences I just thought I would relate to you all! :-(