topic Re: /etc/default/Security with Untrusted in Operating System - HP-UX

/etc/default/Security with Untrusted

zafar.rizvi — Wed, 11 Apr 2007 05:27:23 GMT

kindly confirm one thing to me that Password restriction policies work only with trusted host. I installed the patch for that.

I convert my system to trusted and password policies was enforced But i revert back to untrust then not a singly policy was working. (Although documentation says that min_passwd_length can work with untrusted system.).
I just want to get confirmation how can i use password policies with untrusted system.

What changes occured in passwd file or effects after migration from trusted to untrust or trust to untrust.

Any idea about these things.

Re: /etc/default/Security with Untrusted

Steven E. Protter — Wed, 11 Apr 2007 05:36:14 GMT

Shalom,

Going from trusted to un-trusted migrates the password information back into the /etc/passwd file with the standard encryption mechanism.

I'd like to see your documentation, because I recall (perhaps incorrectly) that /etc/default/security does not work unless the system is trusted.

SEP

Re: /etc/default/Security with Untrusted

Pete Randall — Wed, 11 Apr 2007 05:38:20 GMT

A review of the man pages for "security" will reveal that some of the features require that the system be trusted - but not all, so some of the features *should* work.

Pete

Re: /etc/default/Security with Untrusted

Steven E. Protter — Wed, 11 Apr 2007 05:38:48 GMT

My memory was indeed faulty.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1000150

/etc/default/security should be fully functional on non-trusted systems.

JRF confirms this. I confirm this in the previous thread.

Apologies.

SEP

Re: /etc/default/Security with Untrusted

zafar.rizvi — Wed, 11 Apr 2007 06:01:50 GMT

Dear All,

I check it with trusted system all required configuration was working fine. When i convert back to non trusted system and then try to change passwd of any user , it accept the 2 length password. I did't change any file parameters in /etc/default/security.

I am using HP-UX version
HP Release B.11.11 and patch PHCO_27037 is installed as recomended for extra password parameters,
and this configuration parameters is in use in file.
MIN_PASSWORD_LENGTH=7
PASSWORD_HISTORY_DEPTH=3
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1

kindly check and confirm what else i need to configure it with non trusted system.

Re: /etc/default/Security with Untrusted

Bill Hassell — Wed, 11 Apr 2007 07:26:23 GMT

Let me clarify: /etc/default/security does work with an untrusted system. BUT almost *NONE* of the options in the man page are functional in a non-trusted system. The man page doesn't clearly identify the features but you can infer what will not work by the lack of a /tcb directory. The only place to for password controls on an untrusted system is the 4 characters trailing the encrypted password in the /etc/passwd file. That means you can control the time for password expiration, and the minimum time before a password can be changed. That's all. No more. Nada.

So for your list:

> MIN_PASSWORD_LENGTH=7

This is a gray area. The man pages:

security
passwd(1)
passwd(4)

are not conclusive that this item in the security file has any effect. The maximum password size is ALWAYS 8 in a non-trusted system although extra characters beyond 8 are accepted without any error message.

> PASSWORD_HISTORY_DEPTH=3
> PASSWORD_MIN_DIGIT_CHARS=1
> PASSWORD_MIN_SPECIAL_CHARS=1

These are silently ignored in a non-Trusted system. If you upgrade to 11.23 and implement the Security Extensions, then you can regain many of the security file features. See: http://docs.hp.com/en/5991-8711 Note also that Trusted mode is going away after 11.31. See: http://h21007.www2.hp.com/dspp/tech/tech_TechDocumentDetailPage_IDX/1,1701,8231,00.html?jumpid=reg_R1002_USEN

BTW: PHCO_27037 has a warning and has been superseded twice -- the current patch is PHCO_35250. However, it does not mention password length at all.

The attached script will summarize your security settings.