Establishing a Warning Period
The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.
For example, if a user's password has a maximum life of 30 days (set with the -max argument) and the warn value is set to 7 days, when the user logs in on the 24th day (one day past the warn value) the warning message Your password will expire in 7 days is displayed. When the user logs in on the 25th day the warning message Your password will expire in 6 days is displayed.
Keep in mind that the warning message is not sent by Email or displayed in a user's console window. It is displayed only when the user logs in. If the user does not log in during this period, no warning message is given.
Keep in mind that the warn value is relative to the max value. In other words, it is figured backwards from the deadline set by the max value. Thus, if the warn value is set to 14 days, the Your password will expire in N days message will begin to be displayed two weeks before the password reaches its age limit and must be changed.
Because the warn value is figured relative to the max value, it only works if a max value is in place. If there is no max value, warn values are meaningless and are ignored by the system.
The warn argument uses the following format:
passwd -x max -w warn username |
Where:
username is the login ID of the user.
max is the maximum number of days a password is valid as described on "Setting a Password Age Limit".
warn is the number of days before the password reaches its age limit that the warning message will begin to be displayed.
For example, to force the user nilovna to change passwords every 45 days, and display a warning message 5 days before the password reaches its age limit you would type the command:
station1% passwd -x 45 -w 5 nilovna |
The following rules apply to the warn argument:
You do not have to use the warn argument or specify a warning message. If no warn value is set, no warning message is displayed prior to a password reaching its age limit.
If you do use the warn argument, it must always be used in conjunction with the max argument. In other words, in order to set a warning value you must also set a maximum value.
Note - You can also use Solstice AdminSuite™ to set a warn value for a user's password.
Turning Off Password Aging
There are two ways to turn off password aging for a given user:
Turn off aging while allowing user to retain current password
passwd -x -1 username |
Force user to change password at next login, and then turn off aging
passwd -x 0 username |
This sets the max value to either zero or -1 (see "Setting a Password Age Limit" for more information on this value).
For example, to force the user mendez to change passwords the next time he logs in and then turn off password aging you would type the command:
station% passwd -x 0 mendez |
Note - You can also use Solstice AdminSuite™ to set this parameter for a user's password.
You can also use the nistbladm command to set this value. For example, to turn off password aging for the user otsu and allow her to continue using her current password, you would type:
station1% nistbladm -m `shadow=0:0:-1:0:0:0:0' [name=otsu],passwd.org_dir |
For additional information on using the nistbladm command, see "The nistbladm Command".
Password Privilege Expiration
You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.
For example, if you specify an expire date of December 31, 1997, for a user named pete, on January 1, 1998 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.
Password Aging Versus Expiration
Expiration of a user's password privilege is not the same as password aging.
Password aging. A password that has not been changed for longer than the aging time limit is sometimes referred to as an expired password. But that password can still be used to log in one more time. As part of that last login process the user is forced to choose a new password.
Expiration of password privilege. When a user's password privilege expires, the user cannot log in at all with any password. In other words, it is the user's permission to log in to the network that has expired.
Setting an Expiration Date
Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.
Note - If you have Solstice AdminSuite™ tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuite™ tools because they are easier to use and provide less chance for error.
To set an expiration date with the nistbladm command:
nistbladm -m `shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir |
Where:
login is the user's login ID
n indicates the values in the other fields of the shadow column.
n6 is the date on which the user's password privilege expires. This date is entered as a number of days since January 1, 1970 (see Table 16-2). n6 can be one of the following values:
Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores (un-expires) it. If you do not want to set any expiration date, type -1 in this field.
Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately expire the user's password.
For example, to specify an expiration date for the user pete of December 31, 1995 you would type:
station1% nistbladm -m `shadow=n:n:n:n:n:9493:n' [name=pete],passwd.org_dir |
Caution - All of the fields must be filled in with valid values.
Turning Off Password Privilege Expiration
To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:
station1% nistbladm -m `shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir |
Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.
Specifying Maximum Number of Inactive Days
You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.
This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network.
For example, suppose you specify a maximum inactivity period of 10 days for the user sam. On January 1, sam logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, sam logs in on machine-B and then logs out. Nine days after that on January 13, sam can still log in to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.
Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.
Caution - Do not set inactivity maximums unless your users are instructed
to log out at the end of each workday. The inactivity feature only relates
to logins; it does not check for any other type of system use. If a user logs
in and then leaves the system up and running at the end of each day, that
user will soon pass the inactivity maximum because there has been no login
for many days. When that user finally does reboot or log out, he or she won't
be able to log in.
Note - If you have Solstice AdminSuite™ tools available, do not use nistbladm to set an inactivity maximum. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.
To set a login inactivity maximum, you must use the nistbladm command in the format:
nistbladm -m `shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir |
Where:
login is the user's login ID
n indicates the values in the other fields of the shadow column.
n5 is the number of days the user is allowed to go between logins. Inactive can be one of the following values:
Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.
Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.