topic Re: /etc/default/password in Operating System - HP-UX

/etc/default/password

Nicky_5 — Thu, 18 Aug 2005 13:49:56 GMT

Hi All,

in SCO Machines there is a file /etc/default/password that contains the information about the length and aging of user passwords and the availability of the passwd command for changing user passwords like MINWEEKS, MAXWEEKS, PASSLENGTH, WARNWEEKS,
LOGIN_ONLY.

Is there some such file n HP-UX (specially version 10.20) Please let me know..

Re: /etc/default/password

John Dvorchak — Thu, 18 Aug 2005 13:55:20 GMT

Yes you can do that if you make the system a "trusted" system. Use sam and go into "auditing and security" then to "system security policies". There is also a warning there that you must convert to a trusted system, but it is easily converted back to an untrusted system.

Re: /etc/default/password

Victor BERRIDGE — Thu, 18 Aug 2005 13:56:57 GMT

Under hpux 11i,you would find that in /etc/default/security file
As for 10.20 unless you have a trusted system Im afraid there is nothing...

All the best
Victor

Re: /etc/default/password

Sameer_Nirmal — Thu, 18 Aug 2005 14:00:17 GMT

No there is no such file in HP-UX
If you want to have that kind password policy , then you to convert the system to Trusted System .

Making Trusted system is depends on application compatibility.

Im HP-UX 11i , you can put those changes without converting to Trusted mode.

Re: /etc/default/password

Nicky_5 — Thu, 18 Aug 2005 14:05:04 GMT

hi,

is there any impact if i change the system into trusted system?
i did go into sam and saw the warning it gave
"2. Moves user passwords in "/etc/passwd" to this database.
3. Replaces all password fields in "/etc/passwd" with "*".

So if i say ok to this option wont it mess up with the password settings of my users?

This is a production machine and so i am a little wary..

Re: /etc/default/password

Ranjith_5 — Thu, 18 Aug 2005 14:08:57 GMT

Hi Nicky,

There is a similar file in HP-UX also. That is /etc/default/security.

The completeinfo is here.
http://docs.hp.com/en/B2355-60105/security.4.html

Regards,
Syam

Re: /etc/default/password

Nicky_5 — Thu, 18 Aug 2005 14:14:56 GMT

Hi Syam,

On my machine (HP-UX 10.20) under /etc/default there are only 2 files (fs & useradd). I could not find the file you mentioned.

Re: /etc/default/password

Ranjith_5 — Thu, 18 Aug 2005 14:17:54 GMT

Hi,

You have to create this file.
# touch security.

edit it and add the required parameters according to your requirements. I have added the following in my machine.
PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=sysadm
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=1
UMASK=077
PASSWORD_MAXDAYS=30
PASSWORD_MINDAYS=5
PASSWORD_WARNDAYS=7

Regards,
Syam

Re: /etc/default/password

Sameer_Nirmal — Thu, 18 Aug 2005 14:20:13 GMT

Unless you know the application dependability on /etc/passwd file , it is quite risky to make these changes on production system. If don't know about application , try this on Test system first.

/etc/default/security file and concerned policy can only be implemented in HP-UX 11i.

Re: /etc/default/password

Tim Nelson — Thu, 18 Aug 2005 14:46:57 GMT

/tcb/auth/files/system/defaults.

default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#1814400:u_maxlen#16:u_exp#3628800:u_life#5184000:\
:u_llogin#5184000:u_pw_expire_warning#1209600:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#6:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:

If unsure, modify defaults in SAM then check this file to see what the relationship is.

Re: /etc/default/password

Nicky_5 — Thu, 18 Aug 2005 14:49:17 GMT

given the current settings of my system, would i be right in saying that the ids created by on this machine are not governed by any policy?

Also does any one know what exactly happens when i enable TCB on this machine? the password section of /etc/password is replaced by a *, does that mean that the passwords are reset or do the passwords remain unchanged,but the encrypted passwords would not be stored in another file instead of /etc/passwd?

any suggestions?

Re: /etc/default/password

Bill Hassell — Thu, 18 Aug 2005 14:49:55 GMT

As you know, 10.20 has been obsolete for several years so the /etc/default/security file is meaningless to that system. You do have password aging available but nothing else. SAM can handle password aging for your users.

Converting to Trusted using SAM is a low risk task and will not affect users UNLESS they are typing more than 8 characters for their password. The un-Trusted passwd program silently ignores the extra characters but a Trusted system pays attantion to all the characters tpyed in and it will fail after conversion because the password is only 8 characters long.

Additionally, poorly written programs may play around with the password file and these programs may fail because they do not understand the Trusted database system. But for security, you don't want such programs anyway. Your best choice is to get a test system and verify operation before you convert. Use SAM and you can convert while the system is running--takes just a minute or so.

Re: /etc/default/password

Nicky_5 — Thu, 18 Aug 2005 14:50:34 GMT

hi Tim,

since i dont have have TCB enabled, i dont have the /tcb directory, and hence the consequest files are also not there...

Re: /etc/default/password

Ranjith_5 — Thu, 18 Aug 2005 14:51:54 GMT

Hi,

the tcb database is created only after making the system trusted. Once the system is made trusted then the passwords will be stored in the tcb database.

Regards,
Syam