Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password policy change 2

Status
Not open for further replies.
schrim

schrim

Technical User
Apr 12, 2005
9
US
Hi,
We are getting ready to implement a new password policy change for our AIX users to comply with the Auditors findings. Most, if not all of our users do not have secure enough passwords and when we put the changes into /etc/security/user file, it will inadvertently lock all users out if they don’t meet the minimum requirements. We are trying to avoid this situation. Is there a way to force a password change when the users log in? This way we can get them to change their own password without getting locked out? Just a little more info; We have 60 plus servers and hundreds of users. Thanks for your help in advance. Chris
 
Sort by date Sort by votes
I think this can be done using the pwdadm command with the -f flag set to ADMCHG!

Code: 
ADMCHG 
Resets the ADMCHG attribute without changing the user's password. This forces the user to change passwords the next time a login command or an su command is given for the user. The attribute is cleared when the user specified by the User parameter resets the password.


In here you will have to script this for all users in all servers!

You have to cat /etc/passwd and then use awk to exclude the first colum (user names) and then using a loop, direct this to the pwdpwd command with the -f flag! i don't have a box next to me to try this unfortunately!

Regards,
Khalid
 
Upvote 0 Downvote
Err...

Whilst Khalid is right be very careful with this and be prepared for chaos - and I mean total chaos. Hundreds of users all having to change thir passwords with new restrictive rules means your service desk will get flooded and you will be bad guy of the week.

What we did in a similar situation was
[ol]
[li]Email ALL users informing them of the new rules and that it was their responsibility to change to new passwords conforming to these new rules - we gave them a month[/li]
[li]With one week to go we used 'crack' to identify those who hadn't changed and repeated the e-mail[/li]
[li]On 'P' day we had the Service Desk and ourselves all geared up and ready to go. It was still one of those days I'd prefer to forget[/li]
[li]Regular passes of crack identify those accounts that didn't change because they're dormant or have weak passwords for some other reason. We have 100's of users across eight systems and we're now down to a handful of problems which have deeper issues.[/li]
[/ol]
More about crach here

On the internet no one knows you're a dog

Columb Healy
 
Upvote 0 Downvote
:)

Yes Columb is right. Involving the users in this stage is important! User awareness will reduce help desk calls!

Regards,
Khalid
 
Upvote 0 Downvote
Thanks guys for the info. This will help us out a lot! A STAR for each!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nyck
  • Locked
  • Question
MTU Change
Replies
0
Views
106
nyck
nyck
shoux
  • Locked
  • Question
simple script to change password on AIX 6,1
Replies
1
Views
93
shoux
shoux
van12
  • Locked
  • Question
Why my ldap password is not expired when login into AIX
Replies
2
Views
99
van12
van12
viswa759
  • Locked
  • Question
sftp file into the target system with encrypted password
Replies
2
Views
89
AIXLogician
AIXLogician
MoreFeo
  • Locked
  • Question
Change Group GID
Replies
4
Views
108
MoreFeo
MoreFeo

Part and Inventory Search

Sponsor

Back
Top