Beruflich Dokumente
Kultur Dokumente
Page 1 of 6
English
» IT Resource Center
Title: How does password aging on non-trusted systems
» Logout work?
» My profile Document ID: emr_na-c00904837-4
Submitted Date: 2007-03-20 05:00:00.0
» Search knowledge Last Modified Date: 2007-03-23 05:00:00.0
base
» Forums You may provide feedback on this document
» Patch database
» Download drivers,
software and firmware
» Warranty check
How does password aging on non-trusted systems
» Support Case Manager work?
» Software Update
Manager How does password aging on non-trusted systems work?
» Training and Education
» More maintenance and
DocId: KBAN00000715 Updated: 20011217
support options
DOCUMENT
» Online help
» Site map First, an extended passage from the passwd(4) manpage:
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 2 of 6
week when the password was last changed (a null string is equivalent
to zero). M and m have numerical values in the range 0 through 63
that correspond to the 64-character set of "digits" shown above.
Basically, the password expiration is encoded in four characters following the comma after the
encoded password string:
The first character ("/") encodes the maximum number of weeks a password is valid.
The second character (".") encodes the minimum period in weeks that must expire before the
password can be changed.
The remaining two characters ("pI") encodes the week the password was last changed.
.=0 6= 8 E = 16 M = 24 U = 32 c = 40 k = 48 s = 56
/=1 7= 9 F = 17 N = 25 V = 33 d = 41 l = 49 t = 57
0 = 2 8 = 10 G = 18 O = 26 W = 34 e = 42 m = 50 u = 58
1 = 3 9 = 11 H = 19 P = 27 X = 35 f = 43 n = 51 v = 59
2 = 4 A = 12 I = 20 Q = 28 Y = 36 g = 44 o = 52 w = 60
3 = 5 B = 13 J = 21 R = 29 Z = 37 h = 45 p = 53 x = 61
4 = 6 C = 14 K = 22 S = 30 a = 38 i = 46 q = 54 y = 62
5 = 7 D = 15 L = 23 T = 31 b = 39 j = 47 r = 55 z = 63
Because the least significant digit is the leftmost character for the base-64 ASCII string representing
the week the password was last changed, the succession of numbers in this format is unusual:
0 -> ..
1 -> /.
2 -> 0.
: : :
1331 -> nI
1332 -> oI
1333 -> pI
1334 -> qI
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 3 of 6
1335 -> rI
: : :
1341 -> xI
1342 -> yI
1343 -> zI
1344 -> .J
1345 -> /J
1346 -> 0J
1347 -> 1J
1348 -> 2J
: : :
4094 -> yz
4095 -> zz
This encoding only goes up to "zz", so the largest number a two character base-64 ASCII string can
represent is ('z'+64*'z' = '63'+64*'63') 4095. With about 52 weeks in a year, 4095 weeks is almost 79
years. So, 1970 + 78 years, means HP will need to come up with a new encoding by the year 2048.
# date
Wed May 2 11:15:18 PDT 2001
# at now + 1 minute < /dev/null
warning: commands will be executed using /usr/bin/sh
job 988827528.a at Wed May 2 11:18:48 2001
# at -r 988827528.a
# # Those at(1)'s were getting number of seconds from January 1, 1970
##
# echo "obase=64\n988827528 / 60 / 60 / 24 / 7" | bc
25 34
# passwd -x 5 guest
<max> argument rounded up to nearest week
# pwget -n guest
guest:SaCVF5KlZqm6c,/.WN:105:20:,,,:/home/guest:/usr/bin/sh
#
So, "25 = 'N'" and "34 = 'W'", and since the significance is inverted, the week changed is set to "WN".
A quick side note is necessary to clarify the start and end of a week. The password expiration is
stored in number of weeks since the start of the Epoch. Per the glossary(9) manpage:
$ cal 1 1970
January 1970
S M Tu W Th F S
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
The first week of the epoch started on Thursday, and ended on Wednesday. Therefore, as related to
password expiration, every following week starts on Thursday and ends on Wednesday.
(end of quick side note)
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 4 of 6
The min and max arguments are each represented in units of days.
These arguments will be rounded up to the nearest week on a nontrusted
HP-UX system.
January 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
The password is rounded up to be a maximum of "1 week" old. From 01/04 to 01/10, the password is
"0" weeks old. From 01/11 to 01/17, the password is still a permissable "1" week old (it has reached,
but not exceded, the maximum permissable value). Finally, on 01/18, the password will now have
reached "2" weeks old and the user must now change the password at this time.
So, even though "passwd -x 1" seems like it would expire in 1 day, in the above example, it will
actually expire in 13 days.
Also, the maximum value you can set for passwd(1)'s "- x" option is "441", which happens to be (63 *
7), which conforms to the previous information on only allowing one character to represent the
number of weeks and the largest valued character is "z", which is "63". This was determined
empirically:
# passwd -x 442
Invalid argument to option -x
# passwd -x 441
<max> argument rounded up to nearest week
Usage:
:
#
There is no way to represent expiring in 442 days with one encoded character. "442" days would be
rounded up to "64" weeks, and there is no encoded character from the above "Table of Encoded
Characters" to encode "64".
If it is desired to have a user to need to change their password weekly, set the maximum number of
weeks the password is valid to zero, so on the following week, when the password becomes one
week old, the user will now need to change it.
An interesting effect with this is if a user has a maximum of zero weeks for their password and they
change their password on Wednesday at 3:55 pm PST, ten minutes minutes later, at 4:05
their password is expired, because 00:00 GMT is 4:00 pm PST, which is the start of a new week.
The way this password expiration is quantized by weeks, the "margin of error" for when a
must be changed is +/- one week off since the last time it was changed. For a maximum of a "1" week
old password, if it was changed at 12:00 noon on Wednesday, it needs to be changed 8 days later,
next week's Thursday. However, if it was changed at 12:00 noon on Thursday, then it needs to be
changed 14 days later, in two weeks, when the password is now beyond one week old. The following
C code displays useful password expiration information:
/*
* This program is passed a valid username as an argument and
* displays password expiration information: "miximum weeks",
* "minimum weeks", "week of Epoch when the password was last
* modified", and "current week of the Epoch".
*/
#include <pwd.h>
#include <stdio.h>
#define SECONDS_PER_WEEK (60 * 60 * 24L * 7)
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 5 of 6
main() {
char user_name[1000];
struct passwd *pwd;
char maxw[1], minw[1], last[2];
maxw[0] = pwd->pw_age[0];
minw[0] = pwd->pw_age[1];
last[0] = pwd->pw_age[2];
last[1] = pwd->pw_age[3];
To review the above "last modified" ('HN') calculation (again using the "Table of Encoded
Characters"):
January 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 6 of 6
Since the password was last modified during the 1,619th week since January 1, 1970, and the
maximum number of valid weeks is "1", that means "week 1620" is still valid, but on Thursday,
January 25, the password will expire.
Starting with HP-UX 11.00, passwd(1)'s "-s" option may also be used to view this information:
$ man passwd
name status
And the date "01/11/01" is the same as just previously determined, "week 1619".
Printable version
Privacy statement Using this site means you accept its terms
© 2010 Hewlett-Packard Development Company, L.P.
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010