[tpm] changing password for multiple accounts
Ibrahim Amin
ibrayem at gmail.com
Tue Sep 2 06:17:47 PDT 2008
Thank you for the reply.
I was wondering using some of the utilities provided by HP UX in /usr/lbin
i.e. modprpw and getprpw in Perl to do the following:
1 - Get expiry date by following command
/usr/lbin/getprpw -m spwchg userid
which will return a string as follow:
userid = Tue Aug 19 08:27:50 2008
my intention is to get this date and convert it to epoch and get current
epoch date and get the difference. If the difference is more than 83 days
then the script issue a warning screen.
2 - if a user account is disabled then enabled it with
modprpw -x userid
and reset the password using
moprpw -x userid
As for LDAP I am doing a quick tutorial but it is mostly theory, So if you
can please give me a reference to web site where it hsow step by step
procedure to do password synch on trusted system.
Also I need to know if LDAP is able to synch the password with windows
login.
Thank you again for reply.
On Sat, Aug 30, 2008 at 7:46 PM, Rodrigo Barcellos <rbarc77 at yahoo.com>wrote:
> Hello Ibrahim,
>
> Not sure if someone got back to you. Sounds like you want something exactly
> like LDAP. If you implement LDAP for your Unix servers, the password for all
> accounts will be synchronized - you change it on any box, it propagates it
> to all (because it sync's it at the LDAP server, the other servers are like
> a LDAP client). And that ID will expire on the same day, for all boxes.
>
> Depending on the LDAP implementation you use, there's one caveat, which
> doesn't tell you upfront that the password will expire. But that's easy to
> fix, you can have a perl script that runs on the global profile, which can
> launch a LDAP query command to check if you're about to expire and display a
> message accordingly.
>
> If you still want to have your passwords managed locally, it's doable, but
> way more painful and not secure. Basically, after a user enters a password
> and it gets crypted by HP-UX at /tcb/files/auth/r/root, you can capture that
> string with Perl and replicate it accross all the servers through scp, but
> you need the scp command to be run by another ID, exclusive to sync it to
> all servers (if you do the sync as root directly, you are openning root
> access to all servers without authentication, once you gain root access on
> one server). This other ID would leave the crypt password string on some
> directory, on all servers, and you can have a local cronjob (owned by root)
> that picks it up on every server and sets the password for that account
> accordingly. And then deletes that file left by the ID used to sync it
> everywhere.
>
> Cheers,
>
> Rodrigo
>
>
> --- On Wed, 8/27/08, Ibrahim Amin <ibrayem at gmail.com> wrote:
>
> > From: Ibrahim Amin <ibrayem at gmail.com>
> > Subject: [tpm] changing password for multiple accounts
> > To: toronto-pm at pm.org
> > Date: Wednesday, August 27, 2008, 5:19 PM
> > Hello,
> > I am looking for a secure and easy way for enabling users
> > to change the
> > password of his account before it expires.
> >
> > We use HP UX and some user have multiple logins in the form
> > of xxlogin,
> > where xx id two characters prefix and login is user login.
> >
> > 1 - I am looking for a way in which I can synchronize all
> > the account
> > expiration date.
> > 2 - If a user change the password for one of his account
> > that change also
> > effect those accounts belongs to the same user.
> >
> > I hope this can be done by perl.
> >
> > Thank you
> > --
> > Yours truly,
> > Ibrahim Amin
> > _______________________________________________
> > toronto-pm mailing list
> > toronto-pm at pm.org
> > http://mail.pm.org/mailman/listinfo/toronto-pm
>
>
>
>
--
Yours truly,
Ibrahim Amin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20080902/10a1ba2b/attachment.html>
More information about the toronto-pm
mailing list