2012-02-16 01:59 PM
How do you manage user accounts in 7 mode given the following scenarios:
Enable disabled user account:
Controller1> useradmin user list Test3
Allowed Capabilities: login-snmp
Password min/max age in days: 1/4294967295
Change user password for first login:
When security.passwd.firstlogin.enable is set to on and using the principal of least privilege, how do you change the intial password? Or let me ask, what is required to allow a user to change their password on first login if you are configuring SNMPv3 and only granting login-snmp? Do they need the ability to login through SSH, if so what other capabilities are required for the user to change their password. Let’s say the user only has login-snmp, login-ssh how would they change their password? There is no prompt when I login and I can login through SSH with the account with a status of expired. When I have these capabilities and try passwd , system log states that test needs the cli-passwd capability. If you grant that capability then that account can change any password.
Info: Rid: 11112
Password min/max age in days: 0/4294967295
2013-04-21 09:57 PM
I'm seeking an answer to this 'problem' also. The closest workarounds I can see are the RSH syntax for passwd or setting the ...passwd.firstlogon.enable off before creating the accounts then turning it back on again.
2013-04-22 10:10 AM
The capability cli-passwd only provides the privileges to change the password on the users own account.
It does not provide the ability to change the password on other users accounts.
In order to change the password of other users accounts you need the security context privilege of security-passwd-change-others.
2013-04-22 05:54 PM
I noted that fact in the man pages Richard, I felt that as I was logged in as root I wouldn't have a problem.
bondbhola, yes deleting and recreating with ...passwd.firstlogon.enable=off set works fine as expected.