HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)
s
security(4) security(4)
TrustedMigration product is installed. This attribute is supported for local users and for
NIS and LDAP remote users. The system-wide default defined here may be overridden by
defining a per-user value in /var/adm/userdb
(described in userdb(4)). This feature
requires that the
pam_hpsec module is configured in
/etc/pam.conf. See
pam_hpsec(5).
DISPLAY_LAST_LOGIN=0
Information is not displayed.
DISPLAY_LAST_LOGIN=1
Information is displayed.
Default value:
DISPLAY_LAST_LOGIN=1
INACTIVITY_MAXDAYS
This attribute controls whether an account is expired if there have been no logins to the
account for a specified time interval. It does not apply to trusted systems, and it applies to
standard systems only if the TrustedMigration product is installed. This attribute is sup-
ported only for non-root users managed by pam_unix (described in pam_unix(5)); this typi-
cally includes local and NIS users. For local users on a shadow password system, the
system-wide default defined here in
/etc/default/security
may be overridden by
defining a per-user value in the
inactivity field of /etc/shadow with either one of
these commands:
useradd -f inactive_maxdays
usermod -f inactive_maxdays
When an account has been locked due to this feature, root can unlock the account by su
’ing
to the account or by this command:
userdbset -d -u username login_time
INACTIVITY_MAXDAYS=0
Inactive accounts are not expired.
INACTIVITY_MAXDAYS=
N Inactive accounts are expired if there have been no logins
to the account for at least N days. N can be any positive integer.
Default value:
INACTIVITY_MAXDAYS=0
LOGIN_TIMES
This attribute restricts logins to specific time periods. Login time restrictions are based on
the system’s time zone. See the discussion of time zones in the Notes section. This attri-
bute does not apply to trusted systems, and it applies to standard systems only if the
TrustedMigration product is installed. This attribute is supported for local users and for
NIS and LDAP remote users. The system-wide default defined here may be overridden by
defining a per-user value in
/var/adm/userdb
(described in userdb(4)). This feature
requires that the
pam_hpsec module is configured in /etc/pam.conf
. See
pam_hpsec(5).
LOGIN_TIMES= timeperiod An account is locked if the current time is not within the
specified time period. The timeperiod consists of any number of day and time ranges
separated by colons. A user is allowed to access the system when the login time is within
any of the specified ranges. The days are specified by the following abbreviations:
Su Mo Tu We Th Fr Sa Wk Any
Where Wk is all week days and Any is any day of the week.
A time range can be included after the day specification. A time range is a 24-hour time
period, specified as hours and minutes separated by a hyphen. Each time must be specified
with 4 digits (HHMM-HHMM). Leading zeros are required. This time range indicates the
start and end time for the specified days. The start time must be less than the end time.
When no time range is specified, all times within the day(s) are valid.
If the current time is within the range of any of the time ranges specified for a user, the
user is allowed to access the system.
Do not use 0000-0000 as a time range to prevent user access. For example,
Any:Fr0000-0000 cannot be used to disallow access on Fridays. Instead, SuMo-
TuWeThSa
should be used. See the EXAMPLES section.
Default value: LOGIN_TIMES=Any Can login any day of the week.
348 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update