Path: utzoo!attcan!uunet!cs.utexas.edu!sdd.hp.com!hp-pcd!hpfcso!hpldola!hp-lsd!bae From: bae@hp-lsd.COS.HP.COM (Bruce Erickson) Newsgroups: comp.sys.hp Subject: Re: Password Aging Message-ID: <8250025@hp-lsd.COS.HP.COM> Date: 11 Jun 90 14:44:16 GMT References: <5649@aplcen.apl.jhu.edu> Organization: HP Logic Systems Division - ColoSpgs, CO Lines: 65 >As in, how do I make it work? I want my users to change their passwords (at >least) once a year (that's not often, but it's all that's required on our >trusted system). So, effective whenever I make the changes, I want the users >to be forced to change them, then be able to change them again whenever they >want, but at least yearly. Seems like "weeks valid" should be 52 ('O'), and >"min. weeks before changing should be 0 ('.'), and I have no idea what the >last part should be ("date last changed in weeks since 1970"). The passwd(4) man page gives the UNIX secret away: the digits are . == 0 / == 1 [0-9] == 2-11 [A-Z] == 12-37 [a-z] == 38-63 The first character is max weeks for which a password is valid, and the remaining characters define the week (beginning 1970) when the password was last changed. So, you would want the first character to be o (lower-case O) (for 52) and the next characters are difficult to calculate (at least for me). So, what I do is to set up a fake password of the form name:passwd,o/: which forces a change the next time you log in; then I log in, change the password, then look at /etc/passwd to see what ought to follow... For example, I created (at the *END* of /etc/passwd) jjj:,o/:204:21:testing:/users/bae:/bin/ksh I logged in, was required to change the passwd, did so, then looked at /etc/passwd. On 6/11/90 it had changed the last line to: jjj:aPEaOzDVHEDr2,o/eE:204:21:testing:/users/bae:/bin/ksh So, 6/11/90 encodes to /eE Try figuring *that* out! :-) Bruce "Not an official spokesman, just trying to be helpful!" Erickson bae@hp-lsd PS: Use caution when editing /etc/passwd If you mess up an entry, the next time login(1) runs, it may decide to truncate the file, deleting any line after the bad line -- I don't know why, and I don't know if it happens on any version after HP-UX 1.2 -- I'm too scared to try! Also, do *not* use rcs to control versioning the /etc/passwd file. The reason is that if you try: ci -l /etc/passwd when the 'ci' command tries to check out (locked) the file, it delets /etc/passed, then looks for the name of the person checking it out (to put the info in the passwd,v file) -- oops! /etc/passwd doesn't exist, so ci bombs, and you no longer have a passwd file. You cannot become super user via 'su', etc. -- in fact, unless you have a terminal logged in as super user, you are hosed (do *you* keep a recovery system?) If you want to keep versioning of /etc/passwd, keep the control file as /etc/passwdctl, and make sure /etc/passwd is identical to the currently checked-out version of /etc/passedctl.... Painful experiences I just thought I would relate to you all! :-(