Folks,
First my original post......
*********************************************************************
Folks,
I am looking for a product that will allow me to do password aging
on a SunOS 4.1.3_U1 master server serving various 4.1.3_U1 and 4.1.4
clients.
Does anyone know if such a product exists?
*********************************************************************
I have downloaded npasswd and passwd+ but neither will do password
aging on SunOS 4.1.x and NIS.
We have decided to use some cron jobs to check a database for
dates on individual's passwords and to notify them when they
have exceeded a certain time limit. After an additional time
period, if the user has not changed their password,the system
would change the password for them and alert them that the
password has changed and to contact a systems administrator.
We are still discussing the logic of this configuration and
are writing some preliminary scripts.
Thanks to all who responded.....
Veselin Terzic <terzic@mda.ca>
Nico Garcia <raoul@mit.edu>
Gary Lee <rgl@xdiv.lanl.gov>
Greg Coleman <greg@crusoe.net>
Cheng Xu <chengx@cninfo.co.cn>
Tim Brown <tmb@myxa.com>
Lee Ann Goldstein <lgoldste@ladc.lockheed.com>
Parks Fields <parks@xdiv.lanl.gov>
Clyde Hoover <clyde@motown.cc.utexas.edu>
Now for some answers.....
From: Gary Lee <rgl@xdiv.lanl.gov>
I have been unable to find one that works with NIS.
I am currently planning on writing a script that will
handle aging by nightly sending email to those whose
passwords are about to expire and, if necessary, expiring
passwords of those who do not change their password. We
consider this method to be better than at login time,
because we have a number of pop mail users who never use
the login process to access the machines.
From: Veselin Terzic <terzic@mda.ca>
if you have a www link try: http://uts.cc.utexas.edu/~clyde/npasswd-20.htm
Description
This is the draft FAQ for version 2.0 of npasswd.
Common questions and answers
1. When is npasswd 2.0 going to be ready?
I've missed several release dates :-( due to the load of my regular duties.
Right now I have a code base that
I'm pretty happy with, but there is much "infill" and port verification work
needed. There is a group of folks
helping me with this.
Since this is the Christmas holiday season and therefore not so much gets
done, I suspect that the earliest
availability is in a January 1996 timeframe, but I've said that before :-(
2. What features does version 2 have?
Support for enhanced security for Ultrix 4 and DEC OSF/1.
Support for System 5 style shadow passwords (AIX, Solaris 2).
Support for SunOS C2 security (adjunct passwords & secret RPC keys).
Use of Crack for password checking.
Impliments the chfn and chsh commands.
Greater extensibility and portability (ANSI C and POSIX compliance).
3. Can I get version 2 now?
A new round of development is under way, both by myself and some others across
the net. I'm not releasing
any more beta copies right now, but watch this space.
4. Does it run on my system?
Right now, 2.0 runs on:
Solaris 2/SunOS 5 (local password changes only).
Ultrix 4 and DEC OSF/1.
SunOS 4.1.X.
If your system isn't here it's because I don't have one of them to develop it
on.
To npasswd information page
Clyde Hoover / clyde@uts.cc.utexas.edu
From: raoul@mit.edu Nico Garcia
Kerberos; check out data at ftp.cygnus.com.
From: Greg Coleman (G-tech Corp.) <greg@crusoe.net>
Hi Dave,
I posted the same question about 1.5 months ago. The
bottom line was no, does not work under SunOS 4.x. There were
some shareware products mentioned but the amount of work involved
was enormous. My site has excess of 3000 nodes (ws + srvrs) and
thousands of users all under NIS. The three options I am faced
with are;
1) as you mentioned, upgrade the NIS servers to Solaris.
possible problem: I would have to run it in NIS compatability
mode and I am not sure if this mode supports aging.
Plus, alot of work, I have 1 NIS srvr per subnet, totalling
34.
2) have some homegrown script check a dot file in the users home
which contains the date of the last change.
problem: easily circumvented by the user.
3) I would like to just create another NIS map which contains
the pertinent info. This is easy to do but under SunOS, there
is no system cshrc/profile etc. So I can not assure this script
will be executed by all. (see problem #2)
If I come with something I'll pass it along.
From: Gary Lee <rgl@xdiv.lanl.gov>
There are two approaches to password aging.
1. Notify the user when they logon that their password will expire soon
and eventually require that they change their password before they
can proceed. A. Do this as part of the login program or B. do this
as part of a .login.
2. Periodically run a program that looks at the password file and perhaps
an associated aging file and notify the user via email that his password
is approaching expiration and eventually disable the account.
1A. requires massive changes in a fairly large network. Software is
commercially available to do this. It is expensive. 1B. is easily defeated.
2 requires no changes to OS software. We are implementing 2 by writing some
software to do it. We maintain a separate file of aging info and update
that when the user changes his password. Nightly we will look at the aging info
and send email to those whose password is approaching expiration. Eventually
we will disable the account using the same program.
We are using passwd+ to validate passwords as the user changes them. Passwd+
(ftp nob.cs.ucdavis.edu:/pub/sec-tools) has an aging feature, but to my
knowledge has never been implemented on SunOS.
Gary Lee
Los Alamos National Laboratory
From: Tim Brown <tmb@myxa.com>
Dave,
The only way to get password aging that I am familiar with is
to use NIS+ under Solaris 2.4 (with patches) or Solaris 2.5.
I seem to recall a product that Sun marketed for a while as
an unbundled product (ARM I think) but I am not sure what the
status of it or weather it does password aging.
Another product which might help is CA-Unicenter but that
is a big and intrusive product and would affect how you
administer your entire environment. It is also very expensive.
NIS+ is possibly your best bet.
From: Lee Ann Goldstein <lgoldste@ladc.lockheed.com>
Please note that the following is not a perfect solution, but it works.
It does have a number of security holes, but for a variety of reasons I
don't have to worry about them.
Following are the 3 scripts I use
to force password aging while running NIS. There are 3 scripts (one for
regular users, and two for root users) because of one of the oddities
of NIS- while regular users can change their password from any workstation
in the NIS domain, the root user's password can only be changed from the
NIS master workstation. Also, passwords changed on the NIS master don't
actually change in the NIS database , only in /etc/passwd, so the script
for changing the root user's password on the NIS master runs
(cd /var/yp;make). You actually have the same problem with a regular user,
but only root can run the yp make, so we just let it slide, since regular
users rarely login at the console of our NIS master.
All of our users and the root user use the C shell, so I put the line
source <filename of appropriate script>
into everyone's .login file.
The other thing you need is a directory to keep all the Julian date files
in that can be accessed from everywhere on your network. I use /home/dates.
If the directory isn't mounted on a particular workstation, the worst
that will happen is that a regular user will wind up changing their pass-
word, and a root user will wind up remotely logged in to the NIS master,
which can look a little confusing.
I hope all this helps you.
Regards,
Lee Ann Goldstein
#! /bin/csh -f
#
# check_pw - this is the script for regular users
#
# Script to force a password change every 90 days
# Created by Lee Ann Goldstein, 7/23/91
#
#
# if the /home/dates/$user file does not exist
#
if (! -e /home/dates/$user) then
#
# This is a first login
# force user to set a password
#
passwd
while ($status)
passwd
end
#
# Save the Julian date
#
date +%j >>! /home/dates/$user
else
#
# This is an established user
# Get the "last password change" and today's Julian dates
#
set last_change = `cat /home/dates/$user`
set todays_jdate = `date +%j`
#
# If today's date is less than the "last password change"
# date, we've wrapped around to the next year
#
if ($todays_jdate < $last_change) then
#
# So we change passwords after 89 days after a
# leap year. So what?
#
@ todays_jdate = $todays_jdate + 365
endif
#
# Get the days since the last password change
#
@ days_since_change = $todays_jdate - $last_change
#
# If it's been at least 90 days...
#
if ($days_since_change >= 90) then
#
# Force user to set a password
#
passwd
while ($status)
passwd
end
#
# Save the Julian date
#
date +%j >! /home/dates/$user
endif
endif
# check_root_pw
#
# Script to force the superuser to change passwords every 90 days
# Created by Lee Ann Goldstein, 7/26/91
#
# If the /home/dates/root file does not exist
#
if (! -e /home/dates/root) then
#
# This is a first login
# Force user to set a password
#
passwd root
while ($status)
passwd root
end
(cd /var/yp; make) # this gets the new pw out over the network
#
# Save the Julian date
#
date +%j >>! /home/dates/root
#
# Return to the client, if we came from one
#
echo -n "Was this a remote login from a client? (y/n): "
if ("$<" == "y") then
echo "Logging out from `hostname`"
logout
endif
else
#
# This is an established user
# Get the "last password change" and today's Julian dates
#
set last_change = `cat /home/dates/root`
set todays_jdate = `date +%j`
#
# If today's date is less than the "last password change"
# date, we've wrapped around to the next year
#
if ($todays_jdate < $last_change) then
#
# So we change passwords after 29 days after a
# leap year. So what?
#
@ todays_jdate = $todays_jdate + 365
endif
#
# Get the days since the last password change
#
@ days_since_change = $todays_jdate - $last_change
#
# If it's been at least 90 days...
#
if ($days_since_change >= 90) then
#
# Force user to set a password
#
passwd root
while ($status)
passwd root
end
(cd /var/yp; make) # this gets the new pw out over the network
#
# Save the Julian date
#
date +%j >! /home/dates/root
#
# Return to the client, if we came from one
#
echo "Was this a remote login from a client? (y/n): "
if ("$<" == "y") then
echo "Logging out from `hostname`"
logout
endif
endif
endif
# check_client_root_pw
#
# !!! Be sure to change the string <NIS master hostname> to
# !!! the name of your NIS master every place it appears!
#
# Script to force a client superuser to log in to the server to
# change passwords every 90 days
# Created by Lee Ann Goldstein, 7/26/91
#
# If we're not logged in to the server, do a remote login
# (we can't change the password over the network)
#
#
# if the /home/dates/root file does not exist
#
if (! -e /home/dates/root) then
#
# This is a first login
# Force a login to the NIS master
#
echo "The superuser password has expired"
echo "Logging in to NIS master to set password"
rlogin <NIS master hostname>
else
#
# This is an established user
# Get the "last password change" and today's Julian dates
#
set last_change = `cat /home/dates/root`
set todays_jdate = `date +%j`
#
# If today's date is less than the "last password change"
# date, we've wrapped around to the next year
#
if ($todays_jdate < $last_change) then
#
# So we change passwords after 89 days after a
# leap year. So what?
#
@ todays_jdate = $todays_jdate + 365
endif
#
# Get the days since the last password change
#
@ days_since_change = $todays_jdate - $last_change
#
# If it's been at least 90 days...
#
if ($days_since_change >= 90) then
#
# The superuser password has expired
# Force a login to NIS master
#
echo "The superuser password has expired"
echo "Logging in to NIS master to set password"
rlogin <NIS master hostname>
endif
endif
Thanks again to all!!!
davez
****************************************************
Dave Zarnoch Email davez@mop.com
Systems Administration Voice (610)995-1400
BNP/Cooper Neff FAX (610)995-1451
3 Radnor Corporate Center
Suite 130
Radnor, PA 19087
****************************************************
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:56 CDT