[tpm] changing password for multiple accounts

Rodrigo Barcellos rbarc77 at yahoo.com
Sat Aug 30 16:46:07 PDT 2008


Hello Ibrahim,

Not sure if someone got back to you. Sounds like you want something exactly like LDAP. If you implement LDAP for your Unix servers, the password for all accounts will be synchronized - you change it on any box, it propagates it to all (because it sync's it at the LDAP server, the other servers are like a LDAP client). And that ID will expire on the same day, for all boxes.

Depending on the LDAP implementation you use, there's one caveat, which doesn't tell you upfront that the password will expire. But that's easy to fix, you can have a perl script that runs on the global profile, which can launch a LDAP query command to check if you're about to expire and display a message accordingly.

If you still want to have your passwords managed locally, it's doable, but way more painful and not secure. Basically, after a user enters a password and it gets crypted by HP-UX at /tcb/files/auth/r/root, you can capture that string with Perl and replicate it accross all the servers through scp, but you need the scp command to be run by another ID, exclusive to sync it to all servers (if you do the sync as root directly, you are openning root access to all servers without authentication, once you gain root access on one server). This other ID would leave the crypt password string on some directory, on all servers, and you can have a local cronjob (owned by root) that picks it up on every server and sets the password for that account accordingly. And then deletes that file left by the ID used to sync it everywhere.

Cheers,

Rodrigo


--- On Wed, 8/27/08, Ibrahim Amin <ibrayem at gmail.com> wrote:

> From: Ibrahim Amin <ibrayem at gmail.com>
> Subject: [tpm] changing password for multiple accounts
> To: toronto-pm at pm.org
> Date: Wednesday, August 27, 2008, 5:19 PM
> Hello,
> I am looking for a secure and easy way for enabling users
> to change the
> password of his account before it expires.
> 
> We use HP UX and some user have multiple logins in the form
> of xxlogin,
> where xx id two characters prefix and login is user login.
> 
> 1 - I am looking for a way in which I can synchronize all
> the account
> expiration date.
> 2 - If a user change the password for one of his account
> that change also
> effect those accounts belongs to the same user.
> 
> I hope this can be done by perl.
> 
> Thank you
> -- 
> Yours truly,
> Ibrahim Amin
> _______________________________________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/listinfo/toronto-pm


      


More information about the toronto-pm mailing list