topic Re: System wide password Format on Trusted System 11.11? in Operating System - HP-UX

System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 13:01:17 GMT

We are looking at ways to improve password policies.

I see parameters in:
/tcb/files/auth/system/
default:

I want to know is there a way to define parameters, to set password format
and minimum length?

We would like to set a minimum password length and force the use of a alpha/numeric/character mix.

Can someone explain or suggest ways to enforce "minimum length" and "format requirements" (such as alpha/numeric/characters)

I see in SAM you can make the system
GENERATE
- Pronouncable
- Character
- Letters Only
- User Specifies

DO you procedurally use "User Specifies" and ask the User to use a mix ? Or is there a way when the user resets there password to require the specify a minimum format requirement?

And a minimum length?

Replies, links, ideas all appreciated.

Re: System wide password Format on Trusted System 11.11?

Mel Burslan — Tue, 29 Sep 2009 13:05:01 GMT

did you check /etc/default/security file yet ?

here is how mine looks:

[root@nomad:/root]
# ll /etc/default/security
-r--r--r-- 1 bin bin 2538 Oct 31 2007 /etc/default/security
[root@nomad:/root]
# grep -v ^# /etc/default/security | grep -v ^$
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MAXDAYS=91
PASSWORD_MINDAYS=1
PASSWORD_WARNDAYS=7
SU_ROOT_GROUP=sysadm

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 13:07:04 GMT

Mel,

this is a trusted 11.11 system.. I do not have
the /etc/default/security file..

Re: System wide password Format on Trusted System 11.11?

Hakki Aydin Ucar — Tue, 29 Sep 2009 13:16:28 GMT

Did you check the ;

/tcb/files/auth/system/default

BTW ; The file in question is /etc/default/security does not exist by default. But if we create it, we can use a variable called

PASSWORD_HISTORY_DEPTH:3

In this case, a new password is checked against the last three passwords. If the new password is the same as a previous password, the user must choose a different one. Password histories are stored in files under the directory /tcb/files/auth/system/pwhist:

Re: System wide password Format on Trusted System 11.11?

James R. Ferguson — Tue, 29 Sep 2009 13:18:17 GMT

Hi:

You might want to consider that Trusted Systems are deprecated with 11.31 and will not be supported in successive releases.

As Mel pointed out, the '/etc/default/security' file (and shadow passwords) are part of the basis for future security enhancements in HP-UX. You might want to consider beginning this transition.

For 11.11 the Shadow Password product can be obtained here:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Regards!

...JRF...

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 13:54:24 GMT

So, will the /etc/default/security work on the trusted system?

(per JRF) it would require we install the "Shadow Password Depot"?

Does this Depot overlay the tcb/trusted system or do we need to unconvert the trusts?

Re: System wide password Format on Trusted System 11.11?

Pete Randall — Tue, 29 Sep 2009 14:04:29 GMT

Yes, it will work on trusted systems. If you don't have one, just create it. You can use Mel's as a template.

Pete

Re: System wide password Format on Trusted System 11.11?

Pete Randall — Tue, 29 Sep 2009 14:05:11 GMT

Oh - and the security man page will guide you on the rest of the parameters.

Pete

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 14:07:07 GMT

Thanks Pete..

I will take a look at both.

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 14:26:02 GMT

Thanks All. As usual.. Many thanks.. Wish I could contribute as much as I get back from you all.

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 16:35:19 GMT

Are changes made to the /etc/default/security
take prececent over user TCB files or is this
file subservient of tcb security?

Re: System wide password Format on Trusted System 11.11?

Bill Hassell — Tue, 29 Sep 2009 18:42:44 GMT

/etc/default/security and the /tcb entries are 'merged' together. It is quite painful to try to figure all this out by inspection. Start by creating a complete /etc/default/security file. I have attached a sample here. NOTE: if you do not keep up on patches, some of the items will be ignored. Note also (as the comments state in the file), the "#" character cannot be used on the same line as a desired setting. The code blindly skips any line with # in it.

I have attached a sample security file. In my next post, I have attached a security definition script that will summarize all the settings in your current system.

Note that while Trusted is deprecated for the future, the replacement choices are not as capable. Unless you plan on moving to the next version past 11.31 (not out yet), I would stay with Trusted. Adding Shadow Passwords will be fairly confusing when you see all the limitations.

Re: System wide password Format on Trusted System 11.11?

Bill Hassell — Tue, 29 Sep 2009 18:44:30 GMT

Here is the security settings script. It should give you virtually all of the current settings. SAM is also useful but a lot more cumbersome to locate and set the values.

Re: System wide password Format on Trusted System 11.11?

Hakki Aydin Ucar — Tue, 29 Sep 2009 19:30:25 GMT

Hi,

I also recommend that you can read this post as addendum knowledge, I think it is very useful especially the future of Trusted Systems and their disadvantages:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1371250

Regards.

Re: System wide password Format on Trusted System 11.11?

rmueller58 — Tue, 29 Sep 2009 19:36:08 GMT

Thanks All.

I appreciate the assistance ..