SUMMARY: Password aging?

From: Dave Zarnoch (davez@mtb.phil.mop.com)
Date: Tue Apr 02 1996 - 09:01:56 CST


Folks,

First my original post......

*********************************************************************

Folks,

I am looking for a product that will allow me to do password aging
on a SunOS 4.1.3_U1 master server serving various 4.1.3_U1 and 4.1.4
clients.

Does anyone know if such a product exists?

*********************************************************************

I have downloaded npasswd and passwd+ but neither will do password
aging on SunOS 4.1.x and NIS.

We have decided to use some cron jobs to check a database for
dates on individual's passwords and to notify them when they
have exceeded a certain time limit. After an additional time
period, if the user has not changed their password,the system
would change the password for them and alert them that the
password has changed and to contact a systems administrator.
We are still discussing the logic of this configuration and
are writing some preliminary scripts.

Thanks to all who responded.....

Veselin Terzic <terzic@mda.ca>
Nico Garcia <raoul@mit.edu>
Gary Lee <rgl@xdiv.lanl.gov>
Greg Coleman <greg@crusoe.net>
Cheng Xu <chengx@cninfo.co.cn>
Tim Brown <tmb@myxa.com>
Lee Ann Goldstein <lgoldste@ladc.lockheed.com>
Parks Fields <parks@xdiv.lanl.gov>
Clyde Hoover <clyde@motown.cc.utexas.edu>

Now for some answers.....

From: Gary Lee <rgl@xdiv.lanl.gov>

I have been unable to find one that works with NIS.
I am currently planning on writing a script that will
handle aging by nightly sending email to those whose
passwords are about to expire and, if necessary, expiring
passwords of those who do not change their password. We
consider this method to be better than at login time,
because we have a number of pop mail users who never use
the login process to access the machines.

From: Veselin Terzic <terzic@mda.ca>

if you have a www link try: http://uts.cc.utexas.edu/~clyde/npasswd-20.htm
Description

This is the draft FAQ for version 2.0 of npasswd.

Common questions and answers

1. When is npasswd 2.0 going to be ready?

I've missed several release dates :-( due to the load of my regular duties.
Right now I have a code base that
I'm pretty happy with, but there is much "infill" and port verification work
needed. There is a group of folks
helping me with this.

Since this is the Christmas holiday season and therefore not so much gets
done, I suspect that the earliest
availability is in a January 1996 timeframe, but I've said that before :-(

2. What features does version 2 have?

      Support for enhanced security for Ultrix 4 and DEC OSF/1.
      Support for System 5 style shadow passwords (AIX, Solaris 2).
      Support for SunOS C2 security (adjunct passwords & secret RPC keys).
      Use of Crack for password checking.
      Impliments the chfn and chsh commands.
      Greater extensibility and portability (ANSI C and POSIX compliance).

3. Can I get version 2 now?

A new round of development is under way, both by myself and some others across
the net. I'm not releasing
any more beta copies right now, but watch this space.

4. Does it run on my system?

Right now, 2.0 runs on:

      Solaris 2/SunOS 5 (local password changes only).
      Ultrix 4 and DEC OSF/1.
      SunOS 4.1.X.

If your system isn't here it's because I don't have one of them to develop it
on.

To npasswd information page

Clyde Hoover / clyde@uts.cc.utexas.edu

From: raoul@mit.edu Nico Garcia

Kerberos; check out data at ftp.cygnus.com.

From: Greg Coleman (G-tech Corp.) <greg@crusoe.net>

Hi Dave,
        I posted the same question about 1.5 months ago. The
bottom line was no, does not work under SunOS 4.x. There were
some shareware products mentioned but the amount of work involved
was enormous. My site has excess of 3000 nodes (ws + srvrs) and
thousands of users all under NIS. The three options I am faced
with are;
1) as you mentioned, upgrade the NIS servers to Solaris.
   possible problem: I would have to run it in NIS compatability
   mode and I am not sure if this mode supports aging.
   Plus, alot of work, I have 1 NIS srvr per subnet, totalling
   34.
2) have some homegrown script check a dot file in the users home
   which contains the date of the last change.
   problem: easily circumvented by the user.

3) I would like to just create another NIS map which contains
   the pertinent info. This is easy to do but under SunOS, there
   is no system cshrc/profile etc. So I can not assure this script
   will be executed by all. (see problem #2)
If I come with something I'll pass it along.

From: Gary Lee <rgl@xdiv.lanl.gov>

There are two approaches to password aging.

1. Notify the user when they logon that their password will expire soon
   and eventually require that they change their password before they
   can proceed. A. Do this as part of the login program or B. do this
   as part of a .login.

2. Periodically run a program that looks at the password file and perhaps
   an associated aging file and notify the user via email that his password
   is approaching expiration and eventually disable the account.

1A. requires massive changes in a fairly large network. Software is
commercially available to do this. It is expensive. 1B. is easily defeated.

2 requires no changes to OS software. We are implementing 2 by writing some
software to do it. We maintain a separate file of aging info and update
that when the user changes his password. Nightly we will look at the aging info
and send email to those whose password is approaching expiration. Eventually
we will disable the account using the same program.

We are using passwd+ to validate passwords as the user changes them. Passwd+
(ftp nob.cs.ucdavis.edu:/pub/sec-tools) has an aging feature, but to my
knowledge has never been implemented on SunOS.

Gary Lee
Los Alamos National Laboratory

From: Tim Brown <tmb@myxa.com>

Dave,
 The only way to get password aging that I am familiar with is
 to use NIS+ under Solaris 2.4 (with patches) or Solaris 2.5.

 I seem to recall a product that Sun marketed for a while as
 an unbundled product (ARM I think) but I am not sure what the
 status of it or weather it does password aging.

 Another product which might help is CA-Unicenter but that
 is a big and intrusive product and would affect how you
 administer your entire environment. It is also very expensive.
 
 NIS+ is possibly your best bet.

From: Lee Ann Goldstein <lgoldste@ladc.lockheed.com>

Please note that the following is not a perfect solution, but it works.
It does have a number of security holes, but for a variety of reasons I
don't have to worry about them.

Following are the 3 scripts I use
to force password aging while running NIS. There are 3 scripts (one for
regular users, and two for root users) because of one of the oddities
of NIS- while regular users can change their password from any workstation
in the NIS domain, the root user's password can only be changed from the
NIS master workstation. Also, passwords changed on the NIS master don't
actually change in the NIS database , only in /etc/passwd, so the script
for changing the root user's password on the NIS master runs
(cd /var/yp;make). You actually have the same problem with a regular user,
but only root can run the yp make, so we just let it slide, since regular
users rarely login at the console of our NIS master.

All of our users and the root user use the C shell, so I put the line

source <filename of appropriate script>

into everyone's .login file.

The other thing you need is a directory to keep all the Julian date files
in that can be accessed from everywhere on your network. I use /home/dates.
If the directory isn't mounted on a particular workstation, the worst
that will happen is that a regular user will wind up changing their pass-
word, and a root user will wind up remotely logged in to the NIS master,
which can look a little confusing.

I hope all this helps you.

Regards,

Lee Ann Goldstein

#! /bin/csh -f
#
# check_pw - this is the script for regular users
#
# Script to force a password change every 90 days
# Created by Lee Ann Goldstein, 7/23/91
#
#
# if the /home/dates/$user file does not exist
#
if (! -e /home/dates/$user) then
  #
  # This is a first login
  # force user to set a password
  #
  passwd
  while ($status)
    passwd
  end
  #
  # Save the Julian date
  #
  date +%j >>! /home/dates/$user
else
  #
  # This is an established user
  # Get the "last password change" and today's Julian dates
  #
  set last_change = `cat /home/dates/$user`
set todays_jdate = `date +%j`
  #
  # If today's date is less than the "last password change"
  # date, we've wrapped around to the next year
  #
  if ($todays_jdate < $last_change) then
    #
    # So we change passwords after 89 days after a
    # leap year. So what?
    #
    @ todays_jdate = $todays_jdate + 365
  endif
  #
  # Get the days since the last password change
  #
  @ days_since_change = $todays_jdate - $last_change
  #
  # If it's been at least 90 days...
  #
  if ($days_since_change >= 90) then
    #
    # Force user to set a password
    #
    passwd
    while ($status)
      passwd
    end
    #
    # Save the Julian date
    #
    date +%j >! /home/dates/$user
  endif
endif

# check_root_pw
#
# Script to force the superuser to change passwords every 90 days
# Created by Lee Ann Goldstein, 7/26/91
#
# If the /home/dates/root file does not exist
#
if (! -e /home/dates/root) then
  #
  # This is a first login
  # Force user to set a password
  #
  passwd root
  while ($status)
    passwd root
  end
  (cd /var/yp; make) # this gets the new pw out over the network
  #
  # Save the Julian date
  #
  date +%j >>! /home/dates/root
  #
  # Return to the client, if we came from one
  #
  echo -n "Was this a remote login from a client? (y/n): "
  if ("$<" == "y") then
    echo "Logging out from `hostname`"
    logout
  endif
else
  #
  # This is an established user
  # Get the "last password change" and today's Julian dates
  #
  set last_change = `cat /home/dates/root`
  set todays_jdate = `date +%j`
  #
  # If today's date is less than the "last password change"
  # date, we've wrapped around to the next year
  #
  if ($todays_jdate < $last_change) then
    #
    # So we change passwords after 29 days after a
    # leap year. So what?
    #
    @ todays_jdate = $todays_jdate + 365
  endif
  #
  # Get the days since the last password change
  #
  @ days_since_change = $todays_jdate - $last_change
  #
  # If it's been at least 90 days...
  #
  if ($days_since_change >= 90) then
    #
    # Force user to set a password
    #
    passwd root
    while ($status)
      passwd root
    end
    (cd /var/yp; make) # this gets the new pw out over the network
    #
    # Save the Julian date
    #
    date +%j >! /home/dates/root
    #
    # Return to the client, if we came from one
    #
    echo "Was this a remote login from a client? (y/n): "
    if ("$<" == "y") then
      echo "Logging out from `hostname`"
      logout
    endif
  endif
endif

# check_client_root_pw
#
# !!! Be sure to change the string <NIS master hostname> to
# !!! the name of your NIS master every place it appears!
#
# Script to force a client superuser to log in to the server to
# change passwords every 90 days
# Created by Lee Ann Goldstein, 7/26/91
#
# If we're not logged in to the server, do a remote login
# (we can't change the password over the network)
#
#
# if the /home/dates/root file does not exist
#
if (! -e /home/dates/root) then
  #
  # This is a first login
  # Force a login to the NIS master
  #
  echo "The superuser password has expired"
  echo "Logging in to NIS master to set password"
  rlogin <NIS master hostname>
else
  #
  # This is an established user
  # Get the "last password change" and today's Julian dates
  #
  set last_change = `cat /home/dates/root`
  set todays_jdate = `date +%j`
  #
  # If today's date is less than the "last password change"
  # date, we've wrapped around to the next year
  #
  if ($todays_jdate < $last_change) then
    #
    # So we change passwords after 89 days after a
    # leap year. So what?
    #
    @ todays_jdate = $todays_jdate + 365
  endif
  #
  # Get the days since the last password change
  #
  @ days_since_change = $todays_jdate - $last_change
  #
  # If it's been at least 90 days...
  #
  if ($days_since_change >= 90) then
    #
    # The superuser password has expired
    # Force a login to NIS master
    #
    echo "The superuser password has expired"
    echo "Logging in to NIS master to set password"
    rlogin <NIS master hostname>
  endif
endif

Thanks again to all!!!

davez

****************************************************
Dave Zarnoch Email davez@mop.com
Systems Administration Voice (610)995-1400
BNP/Cooper Neff FAX (610)995-1451
3 Radnor Corporate Center
Suite 130
Radnor, PA 19087
****************************************************



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:56 CDT