SEO

I want to change (increase) the length of the Password MIN LENGTH and was
wondering if their was a command to change all of my users with the new
setting instead of going into SMIT for each user account. If their is such
a command, what if a current user would have a password setup below the new
Password MIN LENGTH setting? What would happen? Would the system ask them
to change their password the next time they try to log in or would it wait
until the next time the password needs to be reset?

Any help would be great....

Mark

Mark McWilliams <mark@nospam.com> wrote:
MM> I want to change (increase) the length of the Password MIN LENGTH and was
MM> wondering if their was a command to change all of my users with the new
MM> setting instead of going into SMIT for each user account.

This might work. IIRC, normal user ids are created starting at uid 200.
Adjust for your purposes.

#!/bin/ksh

minlen=10

IFS=:
while read user pass uid misc
do
if [[ $uid -lt 200 ]]
then
continue
fi

echo chuser minlen=$minlen $user
echo pwdadm -f ADMCHG $user
done < /etc/passwd

Remove the echo statements when you're satisfied that the script
will do what you want.

MM> If their is such
MM> a command, what if a current user would have a password setup below the new
MM> Password MIN LENGTH setting? What would happen? Would the system ask them
MM> to change their password the next time they try to log in or would it wait
MM> until the next time the password needs to be reset?

I think it'd wait until the next time their password. If you want to
check, just run the chuser command against one of the accounts, then
run pwdadm -q username to see whether the ADMCHG flag is set.

Regards,

Nicholas

--
"Why shouldn't I top-post?" http://www.aglami.com/tpfaq.html
"Meanings are another story." http://www.ifas.org/wa/glossolalia.html

On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
wrote:

>I want to change (increase) the length of the Password MIN LENGTH and was
>wondering if their was a command to change all of my users with the new
>setting instead of going into SMIT for each user account. If their is such
>a command, what if a current user would have a password setup below the new
>Password MIN LENGTH setting? What would happen? Would the system ask them
>to change their password the next time they try to log in or would it wait
>until the next time the password needs to be reset?
>
>Any help would be great....
>
>Mark

Mark

Do you know that each individual user has got their MINLEN set?
Unless you specify it upon user creation the default will be used.
Verify this by looking in /etc/security/user (I think - off the top of
my head). If it's not that file, it's one of them in /etc/security.

If they are all using the default (all the stuff in the "default:"
stanza at the top), you can change this.

The change will not force a password change on next login, but will be
applied when their password expires.

Thanks

Steven

Steven,

So I can just edit this file and save it and all of the user settings
will change?

Thanks,

Mark

"Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
> wrote:
>
> >I want to change (increase) the length of the Password MIN LENGTH and was
> >wondering if their was a command to change all of my users with the new
> >setting instead of going into SMIT for each user account. If their is
such
> >a command, what if a current user would have a password setup below the
new
> >Password MIN LENGTH setting? What would happen? Would the system ask
them
> >to change their password the next time they try to log in or would it
wait
> >until the next time the password needs to be reset?
> >
> >Any help would be great....
> >
> >Mark
>
> Mark
>
> Do you know that each individual user has got their MINLEN set?
> Unless you specify it upon user creation the default will be used.
> Verify this by looking in /etc/security/user (I think - off the top of
> my head). If it's not that file, it's one of them in /etc/security.
>
> If they are all using the default (all the stuff in the "default:"
> stanza at the top), you can change this.
>
> The change will not force a password change on next login, but will be
> applied when their password expires.
>
> Thanks
>
> Steven
>
>

Mark McWilliams <mark@nospam.com> wrote:
MM> Steven,

MM> So I can just edit this file and save it and all of the user settings
MM> will change?

Please don't top-post. See my response at the bottom, where it
belongs.

MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
>> wrote:
>>
>> >I want to change (increase) the length of the Password MIN LENGTH and was
>> >wondering if their was a command to change all of my users with the new
>> >setting instead of going into SMIT for each user account. If their is
MM> such
>> >a command, what if a current user would have a password setup below the
MM> new
>> >Password MIN LENGTH setting? What would happen? Would the system ask
MM> them
>> >to change their password the next time they try to log in or would it
MM> wait
>> >until the next time the password needs to be reset?
>> >
>> >Any help would be great....

>> Do you know that each individual user has got their MINLEN set?
>> Unless you specify it upon user creation the default will be used.
>> Verify this by looking in /etc/security/user (I think - off the top of
>> my head). If it's not that file, it's one of them in /etc/security.
>>
>> If they are all using the default (all the stuff in the "default:"
>> stanza at the top), you can change this.
>>
>> The change will not force a password change on next login, but will be
>> applied when their password expires.

See the script I already posted. If you have a large number of
users, it would be wasteful to edit any file in /etc/security
manually. (Some would argue that commands like chuser and pwdadm
exist simply to prevent administrators from mucking up the files
by editing them by hand. But that's another story.)

Regards,

Nicholas

--
"Why shouldn't I top-post?" http://www.aglami.com/tpfaq.html
"Meanings are another story." http://www.ifas.org/wa/glossolalia.html

On 16 Dec 2003 19:30:43 GMT, Nicholas Dronen <ndronen@io.frii.com>
wrote:

>MM> So I can just edit this file and save it and all of the user settings
>MM> will change?
>
>Please don't top-post. See my response at the bottom, where it
>belongs.
>
>MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
>MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
>>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
>>> wrote:
>>>
>>> >I want to change (increase) the length of the Password MIN LENGTH and was
>>> >wondering if their was a command to change all of my users with the new
>>> >setting instead of going into SMIT for each user account. If their is
>MM> such
>>> >a command, what if a current user would have a password setup below the
>MM> new
>>> >Password MIN LENGTH setting? What would happen? Would the system ask
>MM> them
>>> >to change their password the next time they try to log in or would it
>MM> wait
>>> >until the next time the password needs to be reset?
>>> >
>>> >Any help would be great....
>
>>> Do you know that each individual user has got their MINLEN set?
>>> Unless you specify it upon user creation the default will be used.
>>> Verify this by looking in /etc/security/user (I think - off the top of
>>> my head). If it's not that file, it's one of them in /etc/security.
>>>
>>> If they are all using the default (all the stuff in the "default:"
>>> stanza at the top), you can change this.
>>>
>>> The change will not force a password change on next login, but will be
>>> applied when their password expires.
>
>See the script I already posted. If you have a large number of
>users, it would be wasteful to edit any file in /etc/security
>manually. (Some would argue that commands like chuser and pwdadm
>exist simply to prevent administrators from mucking up the files
>by editing them by hand. But that's another story.)
>
>Regards,
>
>Nicholas

All

The point I was trying to make was that if the system is relying on
the default stanza setting, there is no need to make a new entry in
each user stanza. If you did, you would always have to make mass
changes like this. This could be resolved by editing one value in one
line.

I agree entirely with the general rule to use the commands to update
these files, but this could be such a simple change, and difficult to
muck up. As an aside, can the standard utililities modify the default
stanza? I've never tried.

Nicholas, Sorry I also sent a reply to your email address, pressed
wrong button

Thanks

Steven

"Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
news:0squtvkvt9k4dajj09c0lfpgm2ugjkfl3d@4ax.com...
> On 16 Dec 2003 19:30:43 GMT, Nicholas Dronen <ndronen@io.frii.com>
> wrote:
>
> >MM> So I can just edit this file and save it and all of the user
settings
> >MM> will change?
> >
> >Please don't top-post. See my response at the bottom, where it
> >belongs.
> >
> >MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in
message
> >MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
> >>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
> >>> wrote:
> >>>
> >>> >I want to change (increase) the length of the Password MIN LENGTH and
was
> >>> >wondering if their was a command to change all of my users with the
new
> >>> >setting instead of going into SMIT for each user account. If their
is
> >MM> such
> >>> >a command, what if a current user would have a password setup below
the
> >MM> new
> >>> >Password MIN LENGTH setting? What would happen? Would the system
ask
> >MM> them
> >>> >to change their password the next time they try to log in or would it
> >MM> wait
> >>> >until the next time the password needs to be reset?
> >>> >
> >>> >Any help would be great....
> >
> >>> Do you know that each individual user has got their MINLEN set?
> >>> Unless you specify it upon user creation the default will be used.
> >>> Verify this by looking in /etc/security/user (I think - off the top of
> >>> my head). If it's not that file, it's one of them in /etc/security.
> >>>
> >>> If they are all using the default (all the stuff in the "default:"
> >>> stanza at the top), you can change this.
> >>>
> >>> The change will not force a password change on next login, but will be
> >>> applied when their password expires.
> >
> >See the script I already posted. If you have a large number of
> >users, it would be wasteful to edit any file in /etc/security
> >manually. (Some would argue that commands like chuser and pwdadm
> >exist simply to prevent administrators from mucking up the files
> >by editing them by hand. But that's another story.)
> >
> >Regards,
> >
> >Nicholas
>
> All
>
> The point I was trying to make was that if the system is relying on
> the default stanza setting, there is no need to make a new entry in
> each user stanza. If you did, you would always have to make mass
> changes like this. This could be resolved by editing one value in one
> line.
>
> I agree entirely with the general rule to use the commands to update
> these files, but this could be such a simple change, and difficult to
> muck up. As an aside, can the standard utililities modify the default
> stanza? I've never tried.
>
> Nicholas, Sorry I also sent a reply to your email address, pressed
> wrong button
>
> Thanks
>
> Steven
>

Steve and Nicholas,

I didn't know that the top-post was some kind of etiquette thing
within newsgroups. Now I know....

I only have about 60 users in my system and yes each user has a minlen
value. Can I just vi this file (/etc/security/user) and substitute this
line with the value that I want it to be and save it? It would probably be
best to do this after hours I guess!!!!

Mark

Mark McWilliams <mark@nospam.com> wrote:

MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
MM> news:0squtvkvt9k4dajj09c0lfpgm2ugjkfl3d@4ax.com...
>> On 16 Dec 2003 19:30:43 GMT, Nicholas Dronen <ndronen@io.frii.com>
>> wrote:
>>
>> >MM> So I can just edit this file and save it and all of the user
MM> settings
>> >MM> will change?
>> >
>> >Please don't top-post. See my response at the bottom, where it
>> >belongs.
>> >
>> >MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in
MM> message
>> >MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
>> >>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
>> >>> wrote:
>> >>>
>> >>> >I want to change (increase) the length of the Password MIN LENGTH and
MM> was
>> >>> >wondering if their was a command to change all of my users with the
MM> new
>> >>> >setting instead of going into SMIT for each user account. If their
MM> is
>> >MM> such
>> >>> >a command, what if a current user would have a password setup below
MM> the
>> >MM> new
>> >>> >Password MIN LENGTH setting? What would happen? Would the system
MM> ask
>> >MM> them
>> >>> >to change their password the next time they try to log in or would it
>> >MM> wait
>> >>> >until the next time the password needs to be reset?
>> >>> >
>> >>> >Any help would be great....
>> >
>> >>> Do you know that each individual user has got their MINLEN set?
>> >>> Unless you specify it upon user creation the default will be used.
>> >>> Verify this by looking in /etc/security/user (I think - off the top of
>> >>> my head). If it's not that file, it's one of them in /etc/security.
>> >>>
>> >>> If they are all using the default (all the stuff in the "default:"
>> >>> stanza at the top), you can change this.
>> >>>
>> >>> The change will not force a password change on next login, but will be
>> >>> applied when their password expires.
>> >
>> >See the script I already posted. If you have a large number of
>> >users, it would be wasteful to edit any file in /etc/security
>> >manually. (Some would argue that commands like chuser and pwdadm
>> >exist simply to prevent administrators from mucking up the files
>> >by editing them by hand. But that's another story.)
>> >
>> >Regards,
>> >
>> >Nicholas
>>
>> All
>>
>> The point I was trying to make was that if the system is relying on
>> the default stanza setting, there is no need to make a new entry in
>> each user stanza. If you did, you would always have to make mass
>> changes like this. This could be resolved by editing one value in one
>> line.
>>
>> I agree entirely with the general rule to use the commands to update
>> these files, but this could be such a simple change, and difficult to
>> muck up. As an aside, can the standard utililities modify the default
>> stanza? I've never tried.
>>
>> Nicholas, Sorry I also sent a reply to your email address, pressed
>> wrong button

MM> Steve and Nicholas,

MM> I didn't know that the top-post was some kind of etiquette thing
MM> within newsgroups. Now I know....

Some would disagree that it's important, but if a thread gets
many replies, it remains readable if the responses are made
inline and, just as one reads English, from top to bottom. (See
the tpfaq.html link below.)

MM> I only have about 60 users in my system and yes each user has a minlen
MM> value. Can I just vi this file (/etc/security/user) and substitute this
MM> line with the value that I want it to be and save it? It would probably be
MM> best to do this after hours I guess!!!!

I missed what Steve was getting at regarding the default. What
you can do is change the minlen field in the default stanza.
After that, if you want the setting to take effect immediately,
just run the pwdadm command I posted previously for all
accounts.

Regards,

Nicholas

--
"Why shouldn't I top-post?" http://www.aglami.com/tpfaq.html
"Meanings are another story." http://www.ifas.org/wa/glossolalia.html

On 16 Dec 2003 22:08:24 GMT, Nicholas Dronen <ndronen@io.frii.com>
wrote:

>Mark McWilliams <mark@nospam.com> wrote:
>
>MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
>MM> news:0squtvkvt9k4dajj09c0lfpgm2ugjkfl3d@4ax.com...
>>> On 16 Dec 2003 19:30:43 GMT, Nicholas Dronen <ndronen@io.frii.com>
>>> wrote:
>>>
>>> >MM> So I can just edit this file and save it and all of the user
>MM> settings
>>> >MM> will change?
>>> >
>>> >Please don't top-post. See my response at the bottom, where it
>>> >belongs.
>>> >
>>> >MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in
>MM> message
>>> >MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
>>> >>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams" <mark@nospam.com>
>>> >>> wrote:
>>> >>>
>>> >>> >I want to change (increase) the length of the Password MIN LENGTH and
>MM> was
>>> >>> >wondering if their was a command to change all of my users with the
>MM> new
>>> >>> >setting instead of going into SMIT for each user account. If their
>MM> is
>>> >MM> such
>>> >>> >a command, what if a current user would have a password setup below
>MM> the
>>> >MM> new
>>> >>> >Password MIN LENGTH setting? What would happen? Would the system
>MM> ask
>>> >MM> them
>>> >>> >to change their password the next time they try to log in or would it
>>> >MM> wait
>>> >>> >until the next time the password needs to be reset?
>>> >>> >
>>> >>> >Any help would be great....
>>> >
>>> >>> Do you know that each individual user has got their MINLEN set?
>>> >>> Unless you specify it upon user creation the default will be used.
>>> >>> Verify this by looking in /etc/security/user (I think - off the top of
>>> >>> my head). If it's not that file, it's one of them in /etc/security.
>>> >>>
>>> >>> If they are all using the default (all the stuff in the "default:"
>>> >>> stanza at the top), you can change this.
>>> >>>
>>> >>> The change will not force a password change on next login, but will be
>>> >>> applied when their password expires.
>>> >
>>> >See the script I already posted. If you have a large number of
>>> >users, it would be wasteful to edit any file in /etc/security
>>> >manually. (Some would argue that commands like chuser and pwdadm
>>> >exist simply to prevent administrators from mucking up the files
>>> >by editing them by hand. But that's another story.)
>>> >
>>> >Regards,
>>> >
>>> >Nicholas
>>>
>>> All
>>>
>>> The point I was trying to make was that if the system is relying on
>>> the default stanza setting, there is no need to make a new entry in
>>> each user stanza. If you did, you would always have to make mass
>>> changes like this. This could be resolved by editing one value in one
>>> line.
>>>
>>> I agree entirely with the general rule to use the commands to update
>>> these files, but this could be such a simple change, and difficult to
>>> muck up. As an aside, can the standard utililities modify the default
>>> stanza? I've never tried.
>>>
>>> Nicholas, Sorry I also sent a reply to your email address, pressed
>>> wrong button
>
>MM> Steve and Nicholas,
>
>MM> I didn't know that the top-post was some kind of etiquette thing
>MM> within newsgroups. Now I know....
>
>Some would disagree that it's important, but if a thread gets
>many replies, it remains readable if the responses are made
>inline and, just as one reads English, from top to bottom. (See
>the tpfaq.html link below.)
>
>MM> I only have about 60 users in my system and yes each user has a minlen
>MM> value. Can I just vi this file (/etc/security/user) and substitute this
>MM> line with the value that I want it to be and save it? It would probably be
>MM> best to do this after hours I guess!!!!
>
>I missed what Steve was getting at regarding the default. What
>you can do is change the minlen field in the default stanza.
>After that, if you want the setting to take effect immediately,
>just run the pwdadm command I posted previously for all
>accounts.
>
>Regards,
>
>Nicholas

You have a coupe of choices here:

1. As you have MINLEN settings in each user stanza, you could use the
script that Nicholas provided to update them all. I'd also update the
one in the default stanza and not bother specifying one for all
subsequently created users.

2. You could update the one in the default stanza and remove the ones
from all the other user stanzas. As number 1, don't bother specifying
one for all subsequently created users so they just use the default.

Personally I'd go for option 2, it will leave the system in a nice
clean state with only one place where MINLEN is specified, much easier
for subequent changes.

If you also want to force a password change to enforce the MINLEN
immediately, use the script but just have it perform the pwdadm bit.

I have done this in the past, and it worked without a hitch, but the
choice is yours.

Good Luck

Steven

"Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in message
news:fv1vtvkn98s91111qb0sr0tj4gbf578n9e@4ax.com...
> On 16 Dec 2003 22:08:24 GMT, Nicholas Dronen <ndronen@io.frii.com>
> wrote:
>
> >Mark McWilliams <mark@nospam.com> wrote:
> >
> >MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in
message
> >MM> news:0squtvkvt9k4dajj09c0lfpgm2ugjkfl3d@4ax.com...
> >>> On 16 Dec 2003 19:30:43 GMT, Nicholas Dronen <ndronen@io.frii.com>
> >>> wrote:
> >>>
> >>> >MM> So I can just edit this file and save it and all of the
user
> >MM> settings
> >>> >MM> will change?
> >>> >
> >>> >Please don't top-post. See my response at the bottom, where it
> >>> >belongs.
> >>> >
> >>> >MM> "Steven Langdale" <steven.langdale@toyland.demon.co.uk> wrote in
> >MM> message
> >>> >MM> news:1m8ktvsar05tqk86foq5o1rkdigts87aq2@4ax.com...
> >>> >>> On Tue, 9 Dec 2003 13:54:24 -0600, "Mark McWilliams"
<mark@nospam.com>
> >>> >>> wrote:
> >>> >>>
> >>> >>> >I want to change (increase) the length of the Password MIN LENGTH
and
> >MM> was
> >>> >>> >wondering if their was a command to change all of my users with
the
> >MM> new
> >>> >>> >setting instead of going into SMIT for each user account. If
their
> >MM> is
> >>> >MM> such
> >>> >>> >a command, what if a current user would have a password setup
below
> >MM> the
> >>> >MM> new
> >>> >>> >Password MIN LENGTH setting? What would happen? Would the
system
> >MM> ask
> >>> >MM> them
> >>> >>> >to change their password the next time they try to log in or
would it
> >>> >MM> wait
> >>> >>> >until the next time the password needs to be reset?
> >>> >>> >
> >>> >>> >Any help would be great....
> >>> >
> >>> >>> Do you know that each individual user has got their MINLEN set?
> >>> >>> Unless you specify it upon user creation the default will be used.
> >>> >>> Verify this by looking in /etc/security/user (I think - off the
top of
> >>> >>> my head). If it's not that file, it's one of them in
/etc/security.
> >>> >>>
> >>> >>> If they are all using the default (all the stuff in the "default:"
> >>> >>> stanza at the top), you can change this.
> >>> >>>
> >>> >>> The change will not force a password change on next login, but
will be
> >>> >>> applied when their password expires.
> >>> >
> >>> >See the script I already posted. If you have a large number of
> >>> >users, it would be wasteful to edit any file in /etc/security
> >>> >manually. (Some would argue that commands like chuser and pwdadm
> >>> >exist simply to prevent administrators from mucking up the files
> >>> >by editing them by hand. But that's another story.)
> >>> >
> >>> >Regards,
> >>> >
> >>> >Nicholas
> >>>
> >>> All
> >>>
> >>> The point I was trying to make was that if the system is relying on
> >>> the default stanza setting, there is no need to make a new entry in
> >>> each user stanza. If you did, you would always have to make mass
> >>> changes like this. This could be resolved by editing one value in one
> >>> line.
> >>>
> >>> I agree entirely with the general rule to use the commands to update
> >>> these files, but this could be such a simple change, and difficult to
> >>> muck up. As an aside, can the standard utililities modify the default
> >>> stanza? I've never tried.
> >>>
> >>> Nicholas, Sorry I also sent a reply to your email address, pressed
> >>> wrong button
> >
> >MM> Steve and Nicholas,
> >
> >MM> I didn't know that the top-post was some kind of etiquette
thing
> >MM> within newsgroups. Now I know....
> >
> >Some would disagree that it's important, but if a thread gets
> >many replies, it remains readable if the responses are made
> >inline and, just as one reads English, from top to bottom. (See
> >the tpfaq.html link below.)
> >
> >MM> I only have about 60 users in my system and yes each user has a
minlen
> >MM> value. Can I just vi this file (/etc/security/user) and substitute
this
> >MM> line with the value that I want it to be and save it? It would
probably be
> >MM> best to do this after hours I guess!!!!
> >
> >I missed what Steve was getting at regarding the default. What
> >you can do is change the minlen field in the default stanza.
> >After that, if you want the setting to take effect immediately,
> >just run the pwdadm command I posted previously for all
> >accounts.
> >
> >Regards,
> >
> >Nicholas
>
> You have a coupe of choices here:
>
> 1. As you have MINLEN settings in each user stanza, you could use the
> script that Nicholas provided to update them all. I'd also update the
> one in the default stanza and not bother specifying one for all
> subsequently created users.
>
> 2. You could update the one in the default stanza and remove the ones
> from all the other user stanzas. As number 1, don't bother specifying
> one for all subsequently created users so they just use the default.
>
> Personally I'd go for option 2, it will leave the system in a nice
> clean state with only one place where MINLEN is specified, much easier
> for subequent changes.
>
> If you also want to force a password change to enforce the MINLEN
> immediately, use the script but just have it perform the pwdadm bit.
>
> I have done this in the past, and it worked without a hitch, but the
> choice is yours.
>
> Good Luck
>
> Steven
>

Thanks guys.....I'm going to try this tomorrow night and I'll let you know
how it goes.

Mark