topic Re: login specifications in Operating System - HP-UX

login specifications

Donald Thaler — Thu, 14 Jan 2010 13:09:21 GMT

i checked the man pages on login and looked into
/etc/default/security.. but i didn't see any specification that would lock an account after 'x' number of failed logins...

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 13:32:28 GMT

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1263475909790+28353475&threadId=1184810

Pete

Re: login specifications

Jupinder Bedi — Thu, 14 Jan 2010 14:31:18 GMT

you can mention the following field /etc/default/security

NUMBER_OF_LOGINS_ALLOWED=

Re: login specifications

Jupinder Bedi — Thu, 14 Jan 2010 14:38:13 GMT

if it is a trusted system than you need change the parameter in /tcb/files/auth/system/default file

u_maxtries

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 15:53:04 GMT

NUMBER_OF_LOGINS_ALLOWED is for concurrent logins according the the documentation... the correct value is auth_maxtries=

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 15:55:25 GMT

and it's only available on trusted systems

Pete

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 16:26:31 GMT

how do i know if its a trusted system ?

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 16:28:37 GMT

The password fields in /etc/passwd will be nulled out (or replace with a * - can't remember which) and you will have a tcb directory structure instead.

Pete

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 16:33:33 GMT

next question... how do we become a trusted site... the password file has entries in it for each unix user ??

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 16:38:59 GMT

The best way is to use SAM. Sam > Autditing and Security > System Security Policies will accomplish it. You will get a screen telling you that you have to convert and it will ask you if you want to converty now. You can subsequently unconvert if you don't like it, by running tsconvert -r.

You can also use tsconvert to do the initial conversion but SAM does a better job of making sure the passwords are not initially expired, among other things.

Pete

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 16:41:22 GMT

Also, you don't mention which version of HP-UX you're running, but the last entry in the thread I pointed out mentions a product which implements many of these sorts of features on a 11.23 system. It also mentions that trusted is deprecated on 11.31. Something else to consider.

Pete

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 17:26:43 GMT

I'm on 11.23, when switching to a trusted site will we notice anything different if we don't modify /etc/default/security and take all the defaults ? I just want to be a little proactive, just in case the users start experiencing something new as a result of this switch to a trusted site.

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 17:32:51 GMT

Not sure on that one, Donald. I've never run trusted. It always seemed like it would be overly restrictive for the users and more work for me - resetting password and so on - so I never tried it. Sorry.

Pete

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 18:12:43 GMT

so without running "trusted" is there anyway to inhibit logins if someone tries too many times and fails ?

Re: login specifications

Pete Randall — Thu, 14 Jan 2010 18:23:19 GMT

For you, since you're running 11.23, I believe you could use Trusted Mode Security Extensions:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productN
umber=StdModSecExt

In the above link, it specifically mentions the following features:

# Auditing user and system activities
# Account locking after too many authentication failures occur
# Displaying the last successful and unsuccessful login
# Preventing the re-use of passwords in the password history
# Preventing logins with null passwords
# Restricting logins to specific time periods
# Expiring inactive accounts

Number 2 sounds like your ticket.

Pete

Re: login specifications

Bill Hassell — Thu, 14 Jan 2010 18:36:01 GMT

The simplest way to detect a Trusted system is:

ll -d /tcb

If the /tcb directory exists, then the system is Trusted (assuming root hasn't been playing games).

> I'm on 11.23, when switching to a trusted site will we notice anything different if we don't modify /etc/default/security and take all the defaults ?

The first difference is that there will be a maximum retry limit. When the user fat-fingers the password more than 3 times (3=typical), the login is locked. Untrusted accounts have infinite retries. You use the modprpw command to reinstate the locked user login.

One of the problems with Trusted is that specifications (rules) exist in two places, the security file and also the /tcb/files/auth/system/default. The enclosed script will report a combined summary of all the security settings for a Trusted system.

AS far as side effects, occasionally some old applications try to use the classic /etc/passwd file rather than PAM for application authentication. PAM has been around for more than a decade so most apps will use PAM so that the underlying authentication method is transparent.

Re: login specifications

Donald Thaler — Thu, 14 Jan 2010 23:42:15 GMT

Is there any advantage to running Trusted Mode Security Extensions, vs a TRUSTED system.

I noticed that the trusted mode security extensions requires a download of additional software, that's not required if i run in TRUSTED mode ??