|
Home > Archive > Unix administration > May 2004 > NIS password change forcing
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
NIS password change forcing
|
|
| Patrick Szuta 2004-05-26, 4:33 pm |
| Is it possible to implement password expiration with NIS?
Or does anyone have some other suggestions for forcing the users
to change passwords.
Thanks.
| |
| phn@icke-reklam.ipsec.nu 2004-05-26, 4:33 pm |
| Patrick Szuta <pat@u00.math.uiuc.edu> wrote:
> Is it possible to implement password expiration with NIS?
No
> Or does anyone have some other suggestions for forcing the users
> to change passwords.
> Thanks.
Start with asking yourself if password aging enhances your security
( as opposed to good passwords and good procedures)
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
| |
| Michael Vilain 2004-05-26, 4:33 pm |
| In article <c92bdo$17i5$4@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
wrote:
> Patrick Szuta <pat@u00.math.uiuc.edu> wrote:
> No
>
> Start with asking yourself if password aging enhances your security
> ( as opposed to good passwords and good procedures)
Last time I checked (it's been a while--Solaris 2.6--has it changed?),
password aging and expiration where not implemented on NIS.
To get this, you'll need to 'roll your own' solution by keeping the
expiration date in separate database and periodically scanning the NIS
password map. When an expired password is found, change the user's
shell to a script which forces a password change on next login.
So, the short answer to your question is "no".
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
|
|
phn@icke-reklam.ipsec.nu wrote:
> Patrick Szuta <pat@u00.math.uiuc.edu> wrote:
>
>
> No
>
>
>
> Start with asking yourself if password aging enhances your security
> ( as opposed to good passwords and good procedures)
>
When someone asks this question it usually has little to do with whether
the users have good passwords or not. In my case it is a corporate
directive that had to be implemented. We use the field in the "shadow"
file that stores the date of the last password change. A PERL script run
from cron checks all the NIS entries every morning. 10 days before the
password is to expire, notices are sent. If the password is not changed
in time, the users shell is removed. The script has also been expanded
to disable expired accounts that are older than 180 days.
The entry in the password file is the number of days since January 1,
1970 so it does take a little math the figure things out. We have been
using this method for years and it works great.
--
Martin E. Meserve
k7mem@myrealbox.com
|
|
|
|
|