topic Re: Shadow file in Operating System - HP-UX

Shadow file

PVR — Fri, 02 Jan 2004 09:27:15 GMT

Like other Unix version, HP doesn't use shadow file. Can anybody describe the security mechanism used by HP HP Unix?? Which is the file carrying user age statistics??

Re: Shadow file

Robert-Jan Goossens — Fri, 02 Jan 2004 09:33:08 GMT

Hi,

Depending on your HPUX version, it does support shadow password file. But you will need 11.11.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

If you do not have this version you could convert your server to a trusted server.

Hope this helps,
Robert-Jan

Re: Shadow file

Graham Cameron_1 — Fri, 02 Jan 2004 09:34:32 GMT

In a non-trusted (ie default) system, password ageing is done in the passwd file itself.
See man 4 passwd and look for the bit which describes the password field.

In a trusted system, it is more complicated, and you need to start here...
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

-- Graham

Re: Shadow file

Hazem Mahmoud_3 — Fri, 02 Jan 2004 09:39:17 GMT

HP-UX uses something called a Trusted System where it stores the password files in a root-readable file (just like a shadow file). However it is organized in a different structure.
Each user has their own user file which contains their encrypted passwords, uid, # of unsuccessful logins, if the account is locked, etc.
These files are located at /tcb/files/auth//.

-Hazem

Re: Shadow file

Steven E. Protter — Fri, 02 Jan 2004 09:53:45 GMT

There is an add in product available at software.hp.com that allows you to shadow passwords without going trusted. That product is 11i only and shadows the passwords just like a trusted system, so I'm told.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

On an 11.00 system to shadow the passwords you have to go trusted.

Its not that big a deal, just a few clicks in sam

SEP

Re: Shadow file

Todd McDaniel_1 — Fri, 02 Jan 2004 14:43:34 GMT

My company uses the SecurID package which works very well with the one-time passwords.

The name on the back of my card is ACE (access control & encryption)...

Also, have a look at the /etc/hosts.allow and hosts.deny.

And have a look at the manpage for "security". It outlines many good methods for implementing security via passwords and multiple logins.... You will have to create a /etc/default/security file to insert the parameters.

Re: Shadow file

Bill Hassell — Fri, 02 Jan 2004 14:51:53 GMT

HP-UX does indeed use a hidden password file but it is much stronger than the traditional Unix shadow file. Read the man page: prpwd which describes the format in detail. There are many, many features available in a Trusted system that are not found in the old shadow password design. See also: man security