security.4 (2010 09)
s
security(4) security(4)
using the system’s time zone. See the discussion of time zones in the Notes section.
This attribute does not apply to trusted systems. This attribute is supported for
users in all name server switch repositories, such as local, NIS and LDAP. This
attribute is enforced in the
pam_hpsec service module, and requires that the
pam_hpsec module be configured in /etc/pam.conf
. See pam_hpsec (5). The
system-wide default defined here may be overridden by defining a per-user value in
/var/adm/userdb
(described in userdb (4)).
DISPLAY_LAST_LOGIN=0
Information is not displayed.
DISPLAY_LAST_LOGIN=1
Information is displayed.
Default value:
DISPLAY_LAST_LOGIN=1
INACTIVITY_MAXDAYS
This attribute controls whether an account is locked if there have been no logins to
the account for a specified time interval. It does not apply to trusted systems. This
attribute is supported only for non-root users managed by pam_unix (described in
pam_unix (5)); this typically includes local and NIS users. In most cases this attri-
bute can be enforced only as a system-wide default, however, for local users on a
shadow password system, the system-wide default defined here in
/etc/default/security
may be overridden by defining a per-user value in
the
inactivity field of /etc/shadow with either one of these commands:
useradd -f inactive_maxdays
usermod -f inactive_maxdays
When an account has been locked due to this feature, root can unlock the account
by this command:
userdbset -d -u username login_time
INACTIVITY_MAXDAYS=0
Inactive accounts are not expired.
INACTIVITY_MAXDAYS=
N Inactive accounts are expired if there have been no
logins to the account for at least N days. N can be any positive integer.
Default value:
INACTIVITY_MAXDAYS=0
LOGIN_TIMES
This attribute restricts logins to specific time periods. Login time restrictions are
based on the system’s time zone. See the discussion of time zones in the Notes sec-
tion. This attribute does not apply to trusted systems. This attribute is supported
for users in all name server switch repositories, such as local, NIS and LDAP. This
attribute is enforced in the
pam_hpsec service module, and requires that the
pam_hpsec module be configured in /etc/pam.conf
. See pam_hpsec (5). Other
PAM service modules in your configuration may enforce additional restrictions. The
system-wide default defined here may be overridden by defining a per-user value in
/var/adm/userdb (described in userdb (4)).
LOGIN_TIMES=timeperiod An account is locked if the current time is not
within the specified time period. The timeperiod consists of any number of day and
time ranges separated by colons. A user is allowed to access the system when the
login time is within any of the specified ranges. The days are specified by the fol-
lowing abbreviations:
Su Mo Tu We Th Fr Sa Wk Any
Where Wk is all week days and Any is any day of the week.
A time range can be included after the day specification. A time range is a 24-hour
time period, specified as hours and minutes separated by a hyphen. Each time
must be specified with 4 digits (HHMM-HHMM ). Leading zeros are required. This
time range indicates the start and end time for the specified days. The start time
must be less than the end time. When no time range is specified, all times within
the day(s) are valid.
If the current time is within the range of any of the time ranges specified for a user,
the user is allowed to access the system.
HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3