- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- How obsolete is the trusted mode?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2010 11:05 PM
тАО10-06-2010 11:05 PM
How obsolete is the trusted mode?
Does anybody know, what is the current status of trusted system? Or what are the best practices for configuring a "secure" system?
And in respect to that question, how can I enforce min. password length for root without converting to trusted mode?
A quote from 'man security':
MIN_PASSWORD_LENGTH
This attribute controls the minimum length of new
passwords. On trusted systems it applies to all
users. On standard systems it applies to non-root
local users and to NIS users.
- Tags:
- trusted mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2010 11:59 PM
тАО10-06-2010 11:59 PM
Re: How obsolete is the trusted mode?
@@more /etc/security.dsc
#Revision=@(#)B.11.31_LR 1
######################################################################
#
# Do not edit this file.
#
######################################################################
# Programs use this file to obtain information about the attributes
# defined in /etc/default/security and /var/adm/userdb.
# Each attribute is described by a line below; information includes:
# 1) name
# 2) min value
# 3) max value
# 4) value of the hardwired default used if no system-wide value is set
# 5) flags indicating how the attribute can be used:
# S : can configure a system-wide default in /etc/default/security
# u : can configure a per-user value in /var/adm/userdb
# s : can configure a per-user value in /etc/shadow if shadow mode
# p : can configure a per-user value in /etc/passwd if standard mode
# L : the attribute applies only to local users in /etc/passwd
# i : indicates an internal attribute in /var/adm/userdb that is
# normally modified only by programs that enforce system security
# 6) description message number in /usr/lib/nls/*/libsec.cat
# 7) description message; description of the attribute
ABORT_LOGIN_ON_MISSING_HOMEDIR;0;1;0;S;1;Abort login if no home directory? (0=No 1=Yes)
ALLOW_NULL_PASSWORD;0;1;1;LuS;2;Allow login with null password? (0=No 1=Yes)
AUDIT_FLAG;0;1;1;uS;3;Should a user account be audited? (0=No 1=Yes)
AUTH_MAXTRIES;0;999;0;uS;4;Number of consecutive authentication failures allowed (0=No limit)
BOOT_AUTH;0;1;0;LS;5;Is authentication required to boot the system into single user mode? (0=No 1=Yes)
BOOT_USERS;;;root;LS;6;Names of users who can boot the system into single user mode
DISPLAY_LAST_LOGIN;0;1;1;uS;7;Should the last login be displayed? (0=No 1=Yes)
INACTIVITY_MAXDAYS;0;999;0;LsS;8;Number of days of account inactivity allowed (0=No limit)
LOGIN_TIMES;;;Any;uS;9;List of days/times that a user can login to the system (see security(4)).
MIN_PASSWORD_LENGTH;3;8;6;LuS;10;Minimum length for new passwords
NOLOGIN;0;1;0;S;11;Can /etc/nologin be used to disable non-root logins? (0=No 1=Yes)
NUMBER_OF_LOGINS_ALLOWED;0;999;0;uS;12;Maximum number of simultaneous logins allowed (0=No limit)
PASSWORD_HISTORY_DEPTH;1;24;1;LuS;13;Number of passwords in password history
PASSWORD_MIN_LOWER_CASE_CHARS;0;7;0;LuS;14;Minimum number of lower case chars for new passwords
PASSWORD_MIN_UPPER_CASE_CHARS;0;7;0;LuS;15;Minimum number of upper case chars for new passwords
PASSWORD_MIN_DIGIT_CHARS;0;6;0;LuS;16;Minumum number of digits for new passwords
PASSWORD_MIN_SPECIAL_CHARS;0;6;0;LuS;17;Minimum number of special chars for new passwords
PASSWORD_MAXDAYS;-1;441;-1;LpsS;18;Maximum number of days that a password is valid (-1=Disable aging)
PASSWORD_MINDAYS;0;441;0;LpsS;19;Minimum number days to elapse before a password can be changed (0=No restriction)
PASSWORD_WARNDAYS;0;441;0;LsS;20;Number of days to warn before a password expires (0=No warning)
SU_DEFAULT_PATH;;;;S;21;Set the specified PATH when su to a non superuser account (null=Retain path)
SU_KEEP_ENV_VARS;;;;S;22;Force su to propagate specified unsafe environment variables (null=No propagation)
SU_ROOT_GROUP;;;;S;23;Name of the group allowed to su to root (null=No restrictions)
UMASK;0;0777;0;uS;24;Default umask (leading zero denotes octal value)
auth_failures;;;;i;100;Number of consecutive authentication failures
auth_forigin;;;;i;101;Origin (host or tty) of last authentication failure
auth_ftime;;;;i;102;Time of last authentication failure
login_origin;;;;i;103;Origin (host or tty) of last successful login
login_time;;;;i;104;Time of last successful login
pwhist;;;;i;105;Password history
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2010 01:27 AM
тАО10-07-2010 01:27 AM
Re: How obsolete is the trusted mode?
Anyway, did you try to disable password aging on a per user level by userdbset command?
userdbset -u
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2010 05:51 AM
тАО10-07-2010 05:51 AM
Re: How obsolete is the trusted mode?
#userdbset -u user PASSWORD_MAXDAYS=-1
Unknown attribute : PASSWORD_MAXDAYS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2010 03:27 PM
тАО10-07-2010 03:27 PM
Re: How obsolete is the trusted mode?
The only real functionality that is not in SMSE security that trusted system has is the ability to edit files to set the per user policy and system generated passwords. Other than that I think all of the functionality is there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2010 11:10 PM
тАО10-07-2010 11:10 PM
Re: How obsolete is the trusted mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-11-2010 04:50 PM
тАО10-11-2010 04:50 PM
Re: How obsolete is the trusted mode?
For now you'll need to use Trusted Mode to get that functionality.
Regarding
userdbset -u user -a PASSWORD_MAXDAYS=-1
not working, the PASSWORD_MAXDAYS setting for a specific user is not stored in the userdb. If you would like to set (disable) this setting for a user use:
/usr/bin/password -x -1 user
Not all security settings are settable in the userdb - To find out more about each setting take a look at the /etc/security.dsc file. Each entry has a set of flags (5th parameter of the line), these flags are described at the top of the file:
# S : can configure a system-wide default in /etc/default/security
# u : can configure a per-user value in /var/adm/userdb
# s : can configure a per-user value in /etc/shadow if shadow mode
# p : can configure a per-user value in /etc/passwd if standard mode
# L : the attribute applies only to local users in /etc/passwd
# i : indicates an internal attribute in /var/adm/userdb that is
# normally modified only by programs that enforce system security
For example the MIN_PASSWORD_LENGTH setting has the flags LpsS
PASSWORD_MAXDAYS;-1;441;-1;LpsS;18;Maximum number of days that a password is valid (-1=Disable aging)
L - Local users
p - Set on a per-user basis with passwd
s - Settable in shadow mode
S - System wide default settable in /etc/default/security
Also from the security man page:
"PASSWORD_MAXDAYS
...
This attribute applies only to local users and does not apply to trusted systems. The passwd -x option can be used to override this
value for a specific user."
Cheers,
Doug
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-11-2010 08:44 PM
тАО10-11-2010 08:44 PM
Re: How obsolete is the trusted mode?
>If you would like to set (disable) this >setting for a user use:
>/usr/bin/password -x -1 user
Actually "passwd -x -1 user" command is working but this doesn't disable the password aging. When the user uses "passwd" command to set it's password then the users aging parameter is set to "PASSWORD_MAXDAYS" (in /etc/default/security file) again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-10-2011 06:52 PM
тАО05-10-2011 06:52 PM
Re: How obsolete is the trusted mode?
There will be a patch to 11.31 available in early 2011 that allows you to apply password policies to the root user.
Patches PHCO_40838 and PHCO_40839 are now available and make it possible to apply all the Shadow mode login and password restrictions imposed on normal users to the root user account.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-10-2011 10:34 PM
тАО05-10-2011 10:34 PM
Re: How obsolete is the trusted mode?
Thanks for all your replies.