topic Re: force passwds characteristics in Operating System - HP-UX

force passwds characteristics

p7 — Tue, 09 Oct 2007 08:49:39 GMT

hi all

auditers came in, they want us to force the users to use more complex passwords than what they are currently using (simple, 1234,etc).
is there a way in regular unix (without trusted or a 3 party product) to do this?

thx in advance

Re: force passwds characteristics

Steven E. Protter — Tue, 09 Oct 2007 08:53:53 GMT

Shalom,

/etc/default/security

example

MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1

SEP

Re: force passwds characteristics

Patrick Wallek — Tue, 09 Oct 2007 08:56:06 GMT

What version of HP-UX are you running?

If you are being audited, I'm surprised the auditors didn't ding you for not being trusted. ALL applications should work with trusted systems.

If you are HP-UX 11.11 or higher, do a 'man security'. This will give details of settings that can be used with the /etc/default/security file.

Things to look at are: password_history_depth, min_password_length, password_min_uppercase_chars, password_min_lowercase_chars, password_min_digit_chars and password_min_special_chars.

Setting these in /etc/default/security should do what you require. Be sure to read carefully, though, as some options MIGHT require your system to be trusted.

Re: force passwds characteristics

Fat Scrape — Tue, 09 Oct 2007 08:57:48 GMT

Hi Pasquale,

see passwd man page for more information

Fat

Re: force passwds characteristics

rmueller58 — Wed, 10 Oct 2007 09:15:22 GMT

Is your system trusted or untrusted?

For HP/UX you can change the parameters for security from within SAM
--Auditing and Security
-- System Security Policies

There are four selections you can go into and modify..
Password Format Policies
Password Aging Policies
General User Account Policies
Terminal Security Policies

I believe on a trusted system you have to modify a different file then /etc/default/security

Each user has a /tcb/files/auth/?/username file that contains rules and history related to login. It is best on a trusted system to modify the default parameters from within SAM.

Most of these are fairly self explanatory. If your system contains just a basic install and you haven't updated with patches, you may want to do so, also make sure you check that you have an updated version of SSH. We have 11.11 and had problems with the SSH version installed not handshaking correctly with PAM.

Re: force passwds characteristics

Bill Hassell — Wed, 10 Oct 2007 10:06:14 GMT

Although the man page for security will help, most of the options do not apply for a "regular" HP-UX system, that is, not Trusted. The man page for passwd tells you the limitations for an untrusted system.

It's a good thing your auditors are recommending converting to a Trusted system since you will then meet the security requirements and have a much safer system.

Re: force passwds characteristics

hpguys — Wed, 17 Oct 2007 03:30:24 GMT

Hi I also have such problem, our HP-UX is trusted mode, but I cannot find the /etc/default/security, is it created by root user? If created and added setting on it, can HP-UX will update the config automactically?

Thanks in advance

Re: force passwds characteristics

Bill Hassell — Wed, 17 Oct 2007 07:27:50 GMT

/etc/default/security never exists on a new system -- you must create it (as root). It should be owned by root:sys and have permissions of 600 (ie, no permissions except for the owner).

Here is a sample with a bunch of comments. NOTE: whether a feature exists or not depends on OS version and patches. Use your system's man page for security as the guide. Note also that the security file is parsed such that a # character appearing anywhere on the line (first, middle, last, etc) causes the line to be ignored. Also, if a setting is misspelled or has an invalid setting, it is silently ignored, so you must test each feature.

# Security file: /etc/default/security -- 11.00 and higher only

# Note: the contents of the security file are only meaningful
# at specific versions of HP-UX and security patches.
# And at 11.23 2005, a product called "Standard Mode Security Extensions"
# was created and adds additional security features to a non-Trusted
# system. So the only accurate documentation as to the working options
# in the security is: man security

# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

# PASSWORD_MAXDAYS=120
# PASSWORD_MINDAYS=7
# PASSWORD_WARNDAYS=7

# Session controls
##################

SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
UMASK=022
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD