topic Re: Restrict Policies in /etc/default/security in Operating System - HP-UX

Restrict Policies in /etc/default/security

raiden — Mon, 08 Dec 2008 09:19:58 GMT

In one of our system we have set some password policies in /etc/default/security. But now I dont want to restrict this policies to some of the accounts. Is there any method to not force this policies on some of accounts. Is is possible through "modprpw"?

Re: Restrict Policies in /etc/default/security

Robert-Jan Goossens — Mon, 08 Dec 2008 10:04:13 GMT

Hi,

Depends on which policies you are using in the /etc/default/security file and if your system is setup as a trusted system.

Have a look at the security manual, it describes for each policy if the system-wide default can be overwritten.

http://docs.hp.com/en/B3921-60631/security.4.html

Regards,
Robert-Jan

Re: Restrict Policies in /etc/default/security

Ganesan R — Mon, 08 Dec 2008 10:06:03 GMT

Hi Raiden,

Security settings defined on /etc/default/secuirty will be applicable to all the users. If you want to modify user level settings, then you need to convert the system into trusted mode.

modprpw will work with protected database that is on trusted systems

Re: Restrict Policies in /etc/default/security

raiden — Mon, 08 Dec 2008 10:24:28 GMT

Ganesan .. My system is trusted.. so how can i use modprpw to bypass below policies for defined in security file.

PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1

i want to use a simple password like abc123 but these policies doesnt allow me to.

Re: Restrict Policies in /etc/default/security

Ganesan R — Mon, 08 Dec 2008 10:46:38 GMT

Hi,

Simple way is goto SAM -> Accounts for Users and groups -> select the desired user -> Actions -> Modify user's security policies -> Password format policies -> here disable the restriction rules.

You can also do the same thing using modprpw command. You need to use "rstrpw=value" . Value can be YES/NO/DFT with modprpw command.

Re: Restrict Policies in /etc/default/security

Robert-Jan Goossens — Mon, 08 Dec 2008 10:48:49 GMT

Raiden,

Configuring Per-User Attributes

http://docs.hp.com/en/5992-3387/ch02s05.html

userdbset

Changes the attribute for the specified user to override the systemwide default defined in the /etc/default/security file. For an example, see Section , and see userdbset(1M) for more information.

Regards,
Robert-Jan

Re: Restrict Policies in /etc/default/security

Mark McDonald_2 — Mon, 08 Dec 2008 10:49:57 GMT

>>>i want to use a simple password like abc123 but these policies doesnt allow me to.

OK so use a then b c then 1 then 2 3

Abc!23 - seems pretty simple to me?

Re: Restrict Policies in /etc/default/security

raiden — Mon, 08 Dec 2008 11:12:29 GMT

Ganesan >>> Both the methods are not working.

@ Robert ...I cannot find the command userdbset in my system.

Re: Restrict Policies in /etc/default/security

Robert-Jan Goossens — Mon, 08 Dec 2008 11:49:02 GMT

what os version are you running?

Re: Restrict Policies in /etc/default/security

raiden — Mon, 08 Dec 2008 12:49:47 GMT

this is 11.11.

Is there any other alternate method.

Re: Restrict Policies in /etc/default/security

Steven E. Protter — Mon, 08 Dec 2008 13:27:51 GMT

Shalom,

trusted system is great, I like to use it but you should be informed that it is last placed in 11.31.

It has been declared obsolete and will in the future be replaced by other tools. Shadow password might be a better option for compatibility with future versions of HP-UX

SEP

SEP

Re: Restrict Policies in /etc/default/security

raiden — Mon, 08 Dec 2008 15:00:52 GMT

Please someone tell me how do I bypass this settings in security file.

PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1

i want to keep a simple password like abc12345 for system admins.

Re: Restrict Policies in /etc/default/security

Patrick Wallek — Mon, 08 Dec 2008 16:23:56 GMT

>>i want to keep a simple password like abc12345 for system admins.

Why would you want to do that? If anything the system admins passwords should be more complicated. They should lead by example, especially when it comes to passwords.

I don't think there is a way to bypass the rules in /etc/default/security. I think they are completely separate from any trusted system settings and apply to ALL users on the system, no matter what.

Re: Restrict Policies in /etc/default/security

Mark McDonald_2 — Wed, 10 Dec 2008 02:55:02 GMT

Cant you simply copy the password hash from a box with a known simple password?