dcox@ssd.kodak.com (Don Cox) (03/12/91)
System type: Sun4/280, SunOS4.1.1 I am looking for a script that I can implement on my system that will prompt the users to change their password every xx days. Thanks. -- Don Cox Phone (716) 253-7121 KMX (716) 253-7998 INTERNET dcox@ssd.kodak.com
gwyn@smoke.brl.mil (Doug Gwyn) (03/12/91)
In article <1991Mar11.185411.2414@ssd.kodak.com>, dcox@ssd.kodak.com (Don Cox) writes: > System type: Sun4/280, SunOS4.1.1 > I am looking for a script that I can implement on my system that will > prompt the users to change their password every xx days. Thanks. I would be surprised if SunOS 4.1.1 did not already support password aging using a somewhat different mechanism. The usual scheme, added in some long-past release of UNIX System V, tacks an extra subfield onto the password in /etc/passwd, using a comma delimiter between the subfields. The aging information is contained in the new subfield. Presumably this is explained somewhere in the manual, if it is supported. It is probably also worth noting that in most cases, forcing a change of password periodically actually reduces system security, rather than enhancing it as is probably the intention. Unless a password is compromised, if it was secure in the first place there is no reason not to stick with it. Note also that SunOS 4.x supports "shadow" passwd and group files, which hide the encrypted passwords, preventing use of password- cracking programs. I highly recommend using this feature.
mills@ccu.umanitoba.ca (Gary Mills) (03/12/91)
In <1991Mar11.185411.2414@ssd.kodak.com> dcox@ssd.kodak.com (Don Cox) writes: >System type: Sun4/280, SunOS4.1.1 >I am looking for a script that I can implement on my system that will >prompt the users to change their password every xx days. Thanks. SunOS 4.1 has this built in. See ``man passwd''. Unfortunately, ``yppasswd'' doesn't know about it, so users can't change their password remotely once password aging is enabled. Maybe it's fixed in 4.1.1? Is anyone using this? -- -Gary Mills- -Networking Group- -U of M Computer Services-
guy@auspex.auspex.com (Guy Harris) (03/13/91)
>I would be surprised if SunOS 4.1.1 did not already support password >aging using a somewhat different mechanism. I would be surprised if it *did* support password aging using a "somewhat different mechanism", if that means different from the S5 version, because the intent was to pick up S5 password aging for 4.1, which I think they did.
al@escom.com (Al Donaldson) (03/13/91)
In article <15448@smoke.brl.mil>, gwyn@smoke.brl.mil (Doug Gwyn) writes: > It is probably also worth noting that in most cases, forcing a change > of password periodically actually reduces system security, rather than > enhancing it as is probably the intention. Not to mention being a royal pain in the keester. Few people can explain how it works, fewer users understand it, and it just plain gets in the way of running a facility, let alone a secure one. A solution I've proposed is to save the date of last password change in the shadow password file. The administrator can scan this periodically and apply social pressures to the fellow that hasn't changed his password in the last year and a half. > Unless a password is > compromised, if it was secure in the first place there is no reason > not to stick with it. Problem is that compromise of a password is a probabilistic thing -- the probability of compromise (and accumulated damage) increases the longer one uses the same password. Users really should change their passwords periodically -- being forced to do it by a machine is just not the right way. Al
gwyn@smoke.brl.mil (Doug Gwyn) (03/14/91)
In article <6580@auspex.auspex.com> guy@auspex.auspex.com (Guy Harris) writes: >>I would be surprised if SunOS 4.1.1 did not already support password >>aging using a somewhat different mechanism. >I would be surprised if it *did* support password aging using a >"somewhat different mechanism", if that means different from the S5 version, I thought the context made it clear that "different" meant "different from what was described in the article to which I was responding".
swsh@ellis.uchicago.edu (Janet M. Swisher) (03/14/91)
On the question of whether there is a built-in mechanism to keep track of password ages, that could be used to bug users to change passwords regularly: I'm not a sysadmin, but it seems this must be possible, given this finger information I got from a machine at another site (info has been changed to protect the ignorant). I believe the machine in question is a Vax running some variety of BSD Unix. >%finger user@some.other.site >[some.other.site] >Login name: user2 In real life: John Q. User >Account Created: 10/01/90 Password Modified: 10/01/90 >Account Expires: 10/01 >Directory: /user/user2 >Never logged in. >No Plan. > >Login name: user1 In real life: Mary Z. User >Account Created: 07/20/87 Password Modified: 10/31/89 >Account Expires: 09/20/91 >Directory: /user/user1 Shell: /bin/csh >On since Mar 13 15:03:45 on tty22 48 minutes Idle Time >No Plan. Now, why a sysadmin would configure finger to display to the world how old the passwords are on all the accounts, I don't know. But it appears to be possible, so the information must be saved somewhere. -- Janet Swisher Internet: swsh@midway.uchicago.edu University of Chicago Phone: (312) 702-7608 Academic and Public Computing P-mail: 1155 E. 60th St. Chicago IL 60637, USA