Re: Password Mgmt

From: Darren Moffat (Darren.Moffat@Sun.COM)
Date: 06/10/02

Date: Mon, 10 Jun 2002 11:01:12 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@Sun.COM>

>What is the best way to expire passwords on Solaris?
>Have tried editing shadow and using passmgmt unsuccesfully.
>Non NIS environment. Solaris 8.

Attached is a document that desribes what each of the fields in shadow(4)
provide in terms of policy.

passwd(1) is the recommended admin interface to make these changes.

Darren J Moffat

SYNOPSIS: Description of "Password Aging"

There are 3 policies implemented by the shadow file (and/or NIS+).

The format of /etc/shadow is:

When using NIS+ the shadow field in passwd.org_dir holds:


Each of the following policies is implemented using the fields in ()

Policy 1: Password Aging (lastchg, min, max, warn}
This determines when the time periods for which the users password is
active. This is set by using the min/max and warn fields. The
lastchg field refers to the date the user last updated their password.
The warn field is the number of days of warning the user gets on login
before the password actually expires -- note that the warn field and
the expire field perform very distinct functions that are in no way related.

Policy 2: Login Activity (inactive)

This determines the maximum time period a user is allowed between logins.

The intention here is for when a user is away for a long period. For
example, a user goes on holiday for 2 months and does not log in to their
system. The account should be disabled after a week so that it can not
be used while they are out of the office. Set inactivity to 7 days.

This is on a per machine basis and the information about the lastlogin
is taken from the machine's lastlog file.

Policy 3: Account Validity (expire)

The absolute date at which an account expires. There is no warning
given to the user about this.

The intention for this is for contractor/guest/temporary accounts.


The three policies are distinct and any combinatation of them can be used.

It would be nice if Policy 2 (Login Activity) could be held as a network
wide database, ideally there would be a line in /etc/nsswitch.conf so
that the administrator could define the mix of network/host.

We do not currently implement this in the standard OS, See RFE 4014885
for further details. Solstice Security Manager does have this feature
(but does not do it via NIS/NIS+, instead uses a private DB).

Technically, it is possible to implement this using PAM in Solaris
2.6 onwards, to do this you would write a PAM module that implements:

  pam_sm_open_session() for writing the network lastlog and
  pam_sm_acct_mgmt() for checking the network lastlog

Setup and Default values

The passwd(1) command can be used to set each of the fields for an already
existing user. AdminSuite usrmgr and admintool(1M) prompt for the fields
when creating a new user.

Default values for Min, Max, Warn can be set by giving values to the
variables MINWEEKS, MAXWEEKS, WARNWEEKS in /etc/default/passwd. Note
that setting the default values does NOT enable password aging for
all accounts on the system. The values in /etc/default/passwd are only
used to update the fields in /etc/shadow or the passwd.org_dir table when
a user changes their password (or a priviledge user changes it for them) and
there are no existing values for those fields.

If /usr/bin/admintool is used to create a user and set their intial password,
the values from /etc/default/passwd are NOT used. The admin should setup
the required values in the fields of the admintool(1M) form at the time of
creating the user.

To enable any of the password aging policies on a system wide basis
either use the passwd(1) command with approriate flags to set the fields
for each user or setup defaults in the /etc/default/passwd file and then
expire the passwords of all users on the system by using:

  # passwd -f <login_name>

for each account.

Relevant Pages

  • Re: Password expires for no apparent reason
    ... Sorry to be vague Harj. ... But - I want the passwords to never expire. ... policy that has set the values to what you see below meaning that users ... As Harj said Account lockouts could potentially be a problem as perhaps ...
  • Re: Security Alert: Windows 2000 Expired Password Vulnerability
    ... I have never seen a password expire for a windows user account where there ... You might check your policy again. ... I am not familiar with Norton vpn client but with the built in W2K/XP Pro ...
  • Re: PwdLastSet
    ... If an account isn't expiring it is one of a few things ... The account is personally configured not to expire ... policy as the rest of the domain because something is broken. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
  • Re: net User command
    ... which don't expire ... ... > The password expiry date is not a property of each account; ... > it is set by the system, according to the policy currently in force. ... >>> Jerold Schulman ...
  • Re: Solaris NIS+ and Password Aging
    ... >Trying to assist someone with activating password aging. ... They have indicated that the NIS+ password ... Note that Account Expiry is on a per host basis, ... the expire field perform very distinct functions that are in no way related. ...