Establishing Password-aging Criteria, Principles, and Rules

Password-aging is a mechanism that you can use to force users to periodically change their passwords. Password-aging allows you to:

• Specify the maximum number of days that a password can be used before it has to be changed.

• Specify the minimum number of days that a password has to be in existence before it can be changed.

• Specify a warning message to be displayed whenever a user logs in a specified number of days before the user's password time limit is reached.

• Specify the maximum number of days that an account can be inactive. If that number of days pass without the user logging in to the account, the user's password is locked.

Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above features. They can continue to work as normal. Password-aging limitations and activities are activated only when a user logs in or performs one of the following operations:

• login

• rlogin

• telnet

• ftp

These password-aging parameters are applied on a user-by-user basis; you can have different password-aging requirements for different users. You can also set general default password-aging parameters that apply to all users except those you have individually set.

When planning your NIS+ namespace, decide which password-aging features you want to implement, and the default values you want to specify. For additional information on password-aging, see the Password chapter of Solaris Naming Administration Guide.