If you are running HP-UX 11i or higher, you can install
the Shadow Password bundle. This can be found at
http://software.hp.com .
This bundle will replace the encrypted passwords with
an "x" in the /etc/passwd file. The encrypted passwords are moved to the
/etc/shadow file. This is like Linux systems.
After the bundle has been installed, run the pwconv
command to move the encrypted passwords. You can move them back by using
the pwunconv command. More information can be found in the man page
"shadow".
You can only use shadow passwords if you are using
/etc/passwd and/or LDAP. The shadow passwords is not supported with NIS/NIS+.
You cannot run this if you are running a full trusted system (see book section
2.5). If you no longer want to run a trusted system you can run "tsconvert
-r" to return to a non-trusted system and then install the Shadow Passwords
bundle and run pwconv.
There are 3 new options found in the
/etc/default/security file if you are using the Shadow Password bundle.
These are highlighted below (from the man security page):
PASSWORD_MAXDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default maximum number of days
that passwords are valid. This parameter applies only
to local users and does not apply to trusted systems.
The passwd -x option can be used to override this value
for a specific user.
PASSWORD_MAXDAYS=N A new password is valid for up to
N days, after which the password must be changed.
Default value: PASSWORD_MAXDAYS=-1 password aging is
turned off.
PASSWORD_MINDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default minimum number of days
before a password can be changed. This parameter
applies only to local users and does not apply to
trusted systems. The passwd -n option can be used to
override this value for a specific user.
PASSWORD_MINDAYS=N A new password cannot be changed
until at least N days since it was last changed.
Default value: PASSWORD_MINDAYS=0
PASSWORD_WARNDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default number of days before
password expiration that a user is to be warned that
the password must be changed. This parameter applies
only to local users on Shadow Password systems. The
passwd -w option can be used to override this value for
a specific user.
PASSWORD_WARNDAYS=N Users are warned N days before
their password expires.
Default value: PASSWORD_WARNDAYS=0 (no warning)