topic SAM Password Administration in Operating System - HP-UX

SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 07:50:03 GMT

I want to automatically notify users to change thier passwords periodically and force them to use a "strong" password (i.e.-Gnomes05!). Is this possible with SAM or is there another software package I can install to do this?

Re: SAM Password Administration

Pete Randall — Fri, 29 Jul 2005 07:51:36 GMT

Mike,

Take a look at "man security". Be aware, however, that many of the more advanced features of /etc/default/security require your system to be trusted.

Pete

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 07:54:11 GMT

As Pete stated,the features you are looking for are availble in trusted mode.You can easily convert to trusted mode via SAM.

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 08:00:14 GMT

Thanks!!

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 08:02:37 GMT

What are the pitfalls of going to a trusted system? What problems might I encounter?

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 08:13:47 GMT

One common pitfall is the deactivation of the root account! The default failed login attempts is three, and for some reason or other, a sysadmin will lock the root account.

Two ways to get reactivate the account
If there is a root window open run the command modprpw -k root to reactivate it
or
log in from the console as root

Another "issue" may be the status of little used accounts. An account may be disabled from lack of use (a good thing from a security point of view, but bad from the user point of view)

I have converted several systems to trusted, and have not encountered any other issues. There is an added bonus to going to trusted - it eliminates an audit point, if your system is is ever audited for security.

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 08:17:23 GMT

If I do have problems, can I just switch back? Does switching to and from a trusted system require any reboot or disruption?

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 08:32:29 GMT

Switching back is simple - I believe the command tsconvert -r

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 08:36:21 GMT

I forgot to mention - no reboot required and no interuptions

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 08:44:36 GMT

/etc/default/security does not exist on my system. What's up??

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 09:08:55 GMT

Not sure why, but the following thread should prove helpful

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=833100

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 09:53:23 GMT

Thanks for the tip, but still don't know for sure when and how the /etc/default/security file is created.

Re: SAM Password Administration

Pete Randall — Fri, 29 Jul 2005 09:56:43 GMT

Mike,

The file does not exist by default and must be created manually. The man page will show you format of the entries.

Pete

Re: SAM Password Administration

Mel Burslan — Fri, 29 Jul 2005 09:57:45 GMT

Did you convert your system to a trusted system yet ? If yes and you do not have the file, just go ahead and create it with these lines in it:

ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
NOLOGIN=1
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1

with permissions of 444 It is not a magical file.

Re: SAM Password Administration

Mike Waibel — Fri, 29 Jul 2005 09:58:48 GMT

Does SAM write to this file once I have changed to a trusted system and created the file?

Re: SAM Password Administration

Mel Burslan — Fri, 29 Jul 2005 10:02:14 GMT

I never modified this file by sam but I am sure one or more of these parameters in the file are modifiable by sam, in which case it may write on it. But again this is an assumption. I create this file upon completion of a turted system conversion while I am building a new system. An usually it stays the same for the life of the system unless we get a new request from security team to deploy/chnge a setting, in which case, modification of the file and pushing it out to the other servers from a central location is how I do it.

Re: SAM Password Administration

DCE — Fri, 29 Jul 2005 10:06:16 GMT

Looks like you might need a patch - PHCO_33215
might not hurt to have PHCO_27694 and PHCO_27781

Re: SAM Password Administration

generic_1 — Fri, 29 Jul 2005 10:10:43 GMT

It would not be a bad idea to do a maketaperecovery before doing all this :).
Also do a /usr/lbin/gerprpw account on your accounts and make sure no one esspecially root is locked out, at least if they are not supposed to be. If its all 0s on the lockout=000000 you are good. 1s mean its locked.
/usr/lbin/modprpw -k will unlock the account
/usr/lbin/modprpw -v will reset the time to expire for an account. Make sure your time to expire accounts is set to what you want. getprpw will show you allot of information about your accounts that you may want to know as an admin. Trusted is the way to go not only because it offers more features, but that it is more secure too.

Good Luck.

Re: SAM Password Administration

Mike Waibel — Mon, 01 Aug 2005 12:56:26 GMT

I am a bit confused. Does SAM allow me to assign different password security options on a per user basis on a trusted system?

And what about the /etc/default/security file.
Does this apply to all users or does SAM override this?? Does this file exist for each user??

Re: SAM Password Administration

DCE — Mon, 01 Aug 2005 13:58:03 GMT

I am a bit confused. Does SAM allow me to assign different password security options on a per user basis on a trusted system?

Yes

And what about the /etc/default/security file.
Does this apply to all users or does SAM override this?? Does this file exist for each user??

System file that contains default security settings is for all users - settings that are customized are stored in the TCB and override defaults in /etc/default/security