topic Re: PHI11i3 and LongPass11i3 installed but not affecting passwords in Operating System - HP-UX

PHI11i3 and LongPass11i3 installed but not affecting passwords

Bodule — Mon, 31 Oct 2016 08:38:59 GMT

I have a number of 11v3 systems which I have applied the PHI11i3 and LongPass11i3 bundles to. No errors were reported during install. All the systems already had shadow passwords enabled. None are running Trusted Computing.

in order to test the new Password hashing and password length/character parameters I have edited /etc/default/security to include the requisite entries (checked access permissions were correct)

CRYPT_DEFAULT=6
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LONG_PASSWORD=1

PASSWORD_MIN_UPPER_CASE_CHARS=X
PASSWORD_MIN_LOWER_CASE_CHARS=X
PASSWORD_MIN_DIGIT_CHARS=X
PASSWORD_MIN_SPECIAL_CHARS=X

Where X = a number I am not going to reveal on a public forum.

I then created a new user on the systems

useradd -u 9999999 -g users -d /home/user_t -s /usr/bin/ksh -c "Test User account" -m user_t

and changed the user's password to a longer than 20 character password using only lower case and numbers.

The system did not warn that the password did not meet the new rules, i.e. didnt warn it was not acceptable as it didnt have any capitals or special characters.

The password was set but logging in as the new user user_t shows that only the first 8 characters are being used.

Looking at the /etc/shadow file I can see that the hashed password is the same size as existing non-SHA-512 passwords. Changing or editing the test user's password makes no change to the encryption on the hashed password ( I have seen SHA-512 encrypted /etc/password in HP-UX11i3 systems and they are longer than these are). I have tried a wide variety of passwords but they remain as 8 character DES passwords.

I have checked the install as best I can and cant see anything which would prevent the new bundles functioning. I have searched these forums and other places to no avail. I have rebooted the systems to no effect. From what I have read once installed there shouldnt be anything else which needs to be done to activate the PHI11i3 and LongPass11i3 bundles.

Any help or diagnostic advice very much appreciated.

Re: PHI11i3 and LongPass11i3 installed but not affecting passwords

Steven Schweda — Mon, 31 Oct 2016 12:09:11 GMT

> [...] None are running Trusted Computing.

   I know nothing, but my quick Web search for:
       /etc/default/security hp-ux
found:
      /t5/x/x/td-p/3648070

       As bill pointed out just above your problem could be because of
       your non trusted system.many of the security settings shown below
       in the /etc/default/security file will only be effective if the
       system is TRUSTED.
       [...]
       MIN_PASSWORD_LENGTH=
       PASSWORD_MIN_UPPER_CASE_CHARS=
       PASSWORD_MIN_LOWER_CASE_CHARS=
       PASSWORD_MIN_DIGIT_CHARS=
       PASSWORD_MIN_SPECIAL_CHARS=
       [...]

Re: PHI11i3 and LongPass11i3 installed but not affecting passwords

Bodule — Mon, 31 Oct 2016 14:52:12 GMT

Thanks for the quick response . I had read that and noted the link

"Hope the following doc will help you to know more about trusted system features and administration.
http://docs.hp.com/en/B2355-90121/index.html"

is broken as it is to the old hp site not the new hpe one ( A bit later and some searching of the hpe site only reveals links to other Communities posts refering to that document and no links to the document itself). I have also found slightly conflicting advice regarding whethter or not the system needs to be Trusted or not. The linked communities post is from 2005 and the man page / and patches are from 2012 so things may have changed in the years since that post in 2005?

I have also tried removing the settings for
PASSWORD_MIN_UPPER_CASE_CHARS=
PASSWORD_MIN_LOWER_CASE_CHARS=
PASSWORD_MIN_DIGIT_CHARS=
PASSWORD_MIN_SPECIAL_CHARS=

But it made no difference. The passwords are still not encrypted and still limited to 8 characters

From the 2012 version of the security(4) Man Page on the systems in question installed as part of the patch process

"MIN_PASSWORD_LENGTH

This attribute controls the minimum length of new passwords. On trusted systems it applies to all users. On standard systems it applies to non-root local users and to NIS users. On systems in standard or shadow mode, it applies to root if PASSWORD_POLICY_STRICT=1. The system-wide default defined here may be overridden by defining per- user values in /var/adm/userdb (described in userdb(4)).

MIN_PASSWORD_LENGTH=N New passwords must contain at least N characters. For standard systems, N can be any value from 3 to 8. For trusted systems, N can be any value from 6 to 80.
Default value: MIN_PASSWORD_LENGTH=6"

So my reading of "On standard systems it applies to non-root local users and to NIS users." is that MIN_PASSWORD_LENGTH should work on Standard (not Trusted) systems.

Also

"PASSWORD_MIN_type_CHARS

Attributes of this form are used to require new passwords to have a minimum number of characters of particular types (upper case, lower case, digits or special characters). This can be helpful in enforcing site security policies about selecting passwords that are not easy to guess. This attribute applies to local, non-root users. On a system in standard or shadow mode, it also applies to root if PASSWORD_POLICY_STRICT=1. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a minimum of N upper-case characters are required in a password when changed.

PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a minimum of N lower-case characters are required in a password when changed.

PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum of N digit characters are required in a password when changed.

PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum of N special characters are required in a password when changed.

Default value: The default for each of these attributes is zero."

"This attribute applies to local, non-root users. On a system in standard or shadow mode, it also applies to root if PASSWORD_POLICY_STRICT=1. " Suggests to me, again, that this should work in Standard Mode. Unless I am missing something? There are later warnings against using PASSWORD_POLICY_STRICT=1 in the entry for that parameter in the man page for security issues so I havent set it in my testing.

While the Trusted / Standard mode may be an issue regarding the additional password parameters I still havent managed to get the most basic change of encryption from DES to SHA-512 to work or for passwords over 8 characters to be accepted. Which suggests a bigger problem.

Re: PHI11i3 and LongPass11i3 installed but not affecting passwords

Bodule — Wed, 30 Nov 2016 20:20:16 GMT

Have solved this, for the most part but more on that later... The solution... Ended up raising a call with HPE support to get to the bottom of why it wasnt working. The reasons were :-

1) The order of the entries for Password Hashing Infrastructure matter in /etc/default/security. Get them the wrong way round and it wont encrypt the passwords using SHA512, it will continue to use DES.

The wrong way round is :-

CRYPT_DEFAULT=6
CRYPT_ALGORITHMS_DEPRECATE=__unix__

The correct way round is :-

CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

As in:

############################################################################
# Additional parameters to support PHI11i3 Password Hashing Infrastructure #
# and LongPass11i3 Long Passwords #
# #
############################################################################

# To migrate DES-based password hashes to SHA512-based hashes
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_ALGORITHMS_DEPRECATE=__unix__

# To set the default password hash algorithm to an SHA512-based algorithm
#CRYPT_DEFAULT=6
CRYPT_DEFAULT=6

# To activate the HP-UX LongPass11i3 functionality
# The MIN_PASSWORD_LENGTH parameter can be set to values greater than 8
#LONG_PASSWORD=1
LONG_PASSWORD=1

2) It doesnt work if you have LDAP enabled when you try to set or change a password. You need to check /etc/nsswitch.conf and /etc/pam.conf for any refereneces to LDAP and comment out or remove them.

3) All the systems I am working on do not have trusted computing enabled and all of the additional password parameters do work with the exception of root see below.

Also worth noting is that when creating a new user and setting a password as root any rules set to enforce password parameters (special characters, Caps, lc, numbers, length) will be ignored. They will be enforced for the user just not for root. This caught me out trying to test if the rules set in /etc/default/security were working

Ref man page security 4

PASSWORD_POLICY_STRICT
This attribute imposes restrictions when root is changing passwords. These restrictions already apply to normal users.

If you enable PASSWORD_POLICY_STRICT then the rules will also apply to root. But this could be a bad idea I am led to believe..

With these changes made I have now successfully set up a number of systems... apart from one which, despite everything above being correctly configured resolutely refuse to apply SHA512 encryption to new passwords. When I get to the bottom of that I will report back in case anyone else come across this issue.