topic Re: Root password..? in Operating System - HP-UX

Root password..?

rvent — Fri, 09 Mar 2007 10:50:55 GMT

Hello,

Today one of the other admins was trying to his password, but she messed up and ended up changing root's password to null.

I just changed root's password, but i need tto find out how to enforce the passwords so that they are not null (at least for root)

I was reading on some previous post and i got this:
/usr/lbin/getprdef -m rstrpw Which results on:
System is not trusted.

I tried man getprdef, but no man page was found. Also there is not /etc/default/security. The only "security" that "find" found was "/etc/opt/dce/security", but it is an empty folder..

Any ideas on how can i enforce passwords not being null...? And what is getprdef..? Why does my system says it is not trusted..?

Thanks

Re: Root password..?

Jeff_Traigle — Fri, 09 Mar 2007 10:59:02 GMT

See security(4) man page. The MIN_PASSWORD_LENGTH parameter controls minimum password length. However, since your system is not running in trusted mode, it will have no effect on the root account.

Your system says it's not trusted because no one made it trusted by running tsconvert (or doing so in SAM). Your password hashes are stored in /etc/passwd (or possible /etc/shadow if you have Shadow Passwords installed).

Re: Root password..?

rvent — Fri, 09 Mar 2007 11:12:09 GMT

All the HP-UX systems that we have are part of a service guard cluster, would that affect anything..?

What would the difference be between the trusted and not trusted...?

Thanks

Re: Root password..?

Sundar_7 — Fri, 09 Mar 2007 11:16:16 GMT

Hi,

"Trusting" a system makes your HP-UX C2-level security complaint. Trusting comes with lots of benefits, but at times it can be a pain too.

I have seen cases where the application stopped working because of the trusted system conversion.

If you convert your system to trusted, then the passwords will be removed from /etc/passwd and /tcb tree will be created where the passwords will be stored, along with other information. This will also enable some default security measures like account lockout after specific number of unsuccessful tries and stuff.

But if you want to enforce "not null" password policy without trusting the system then it may involve some scripting or C programming. You can create a wrapper and use /usr/lib/makekey to create encrypted passwords.

Sundar.

Re: Root password..?

Sundar_7 — Fri, 09 Mar 2007 11:19:48 GMT

It will not directly have any effect on the SG cluster but there are some applications which directly try to get the password entry from /etc/passwd and authenticate the users instead of relying on the PAM to perform the authentication for them,

If it is a plain database server, most probably you will be fine.

There are number of differences between trusted and non-trusted systems. The most obvious ones you will probably notice is the account lockout and even root will be asked for the old password before the password can be changed.

This will mean you will have couple more steps to follow when you forget the password and reboot the system in single user mode !! :-)

Sundar

Re: Root password..?

rvent — Fri, 09 Mar 2007 11:30:16 GMT

Well i am not sure about how our ERP authenticates the user accounts, so i contacted the ERP tech support to see what i can expect and see if it is worth the trouble since the system only provides services to our private network...

Thanks