Password Privilege Expiration
You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.
For example, if you specify an expire date of December 31, 1997, for a user named pete, on January 1, 1998 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.
Password Aging Versus Expiration
Expiration of a user's password privilege is not the same as password aging.
-
Password aging. A password that has not been changed for longer than the aging time limit is sometimes referred to as an expired password. But that password can still be used to log in one more time. As part of that last login process the user is forced to choose a new password.
-
Expiration of password privilege. When a user's password privilege expires, the user cannot log in at all with any password.) In other words, it is the user's permission to log in to the network that has expired.
Setting an Expiration Date
Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.
Note -
If you have Solstice AdminSuiteTM tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuiteTM tools because they are easier to use and provide less chance for error.
To set an expiration date with the nistbladm command:
nistbladm -m `shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir |
Where:
-
login is the user's login ID
-
n indicates the values in the other fields of the shadow column.
-
n6 is the date on which the user's password privilege expires. This date is entered as a number of days since January 1, 1970 (see Table 11-2). n6 can be one of the following values:
-
Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores (un-expires) it. If you do not want to set any expiration date, type -1 in this field.
-
Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately expire the user's password.
-
For example, to specify an expiration date for the user pete of December 31, 1995 you would type:
station1% nistbladm -m `shadow=n:n:n:n:n:9493:n' [name=pete],passwd.org_dir |
Caution - All of the fields must be filled in with valid values.
Turning Off Password Privilege Expiration
To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:
station1% nistbladm -m `shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir |
Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.
- © 2010, Oracle Corporation and/or its affiliates