Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Trusted Passwords and System Access
Chapter 8 807
• Expiration time. A time after which a user must change that
password at login.
• Warning time. The time before expiration when a warning will be
issued.
• Lifetime. The time at which the account associated with the
password is locked if the password is not changed. Once an account is
locked, only the system administrator can unlock it. Once unlocked,
the password must still be changed before the user can log into the
account.
The expiration time and lifetime values are reset when a password is
changed. A lifetime of zero specifies no password aging; in this case, the
other password aging times have no effect.
Password History and Password Reuse
On Trusted Systems, the system administrator can enable the password
history feature on a system-wide basis to discourage users from reusing
from one to ten previous passwords.
You enable password history by defining the following parameter as a
line in the file /etc/default/security:
PASSWORD_HISTORY_DEPTH=
n
where
n
is an integer from 1 to 10, specifying the number of previous
passwords to check. If
n
is less than 1, or the entry is missing, it defaults
to 1; if
n
is greater than 10, it defaults to 10.
When a user changes his/her password, the new password is checked
against the previous
n
passwords, starting with the current password. If
any match, the new password is rejected. An
n
of 2 prevents users from
alternating between two passwords.
See passwd (1) and security (4) for further details.
Time-Based Access Control
On Trusted Systems, the system administrator may specify times-of-day
and days-of-week that are allowed for login for each user. When a user
attempts to log in outside the allowed access time, the event is logged (if
auditing is enabled for login failures and successes) and the login is
terminated. A superuser can log in outside the allowed access time, but