topic Re: HPUX Security - Password complexity in Operating System - HP-UX

HPUX Security - Password complexity

FLQ — Mon, 28 Feb 2005 12:40:37 GMT

Hi all,

Quick question I hope...

I have many trusted mode systems and I would like to enforce password complexiity.

Everything was fine until I discovered that many users are not using very strong passwords i.e. "abc123"

My question is:
How come password complexity does not kick in at the moment users are entering their passwords.

I give them a temp password and make sure the "passwd -f $USER" is executed before they login but still they can put "abc123" as their password.

P.S. I know that I did not give points before when I asked questions but I will do it from now on.

TIA

Francis

Re: HPUX Security - Password complexity

RAC_1 — Mon, 28 Feb 2005 12:44:32 GMT

Do you have rstrpw enabled??

man getprdef for details.
/usr/lbin/getprdef -m rstrpw

Re: HPUX Security - Password complexity

Pete Randall — Mon, 28 Feb 2005 12:46:42 GMT

Francis,

Are you using the /etc/default/security file? You can set PASSWORD_MIN__CHARS, MIN_PASSWORD_LENGTH, and PASSWORD_HISTORY_DEPTH in the security file. Have look at the man page for security.

Pete

Re: HPUX Security - Password complexity

FLQ — Mon, 28 Feb 2005 13:14:01 GMT

/usr/lbin/getprdef -m rstrpw
rstrpw=YES

what are the values of PASSWORD_MIN__CHARS

MIN_PASSWORD_LENGTH is set to the default. i.e. 6
PASSWORD_HISTORY_DEPTH is set to 1
To be dealt with later.

I just did a test with a test user.

I set the password to "abc123" as root then passwd -f testuser.

surely enough it asks me to change the password the next time I log in but I was able to set the passwd as that testuser to "cba321".

Which does not make sense. So I'm wondering if it works at all in regards to password complexity.

TIA

Francis

Re: HPUX Security - Password complexity

Pete Randall — Mon, 28 Feb 2005 13:25:06 GMT

Francis,

"PASSWORD_MIN__CHARS Parameters of this form are used to require new passwords to have a minimum number of characters of particular types (upper case, lower case, digits or special characters). This can be helpful in enforcing site security policies about selecting passwords that are not easy to guess.

Note: These parameters apply only if the libpam_unix patch PHCO_24606 or later is installed.

PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a minimum of N upper-case characters are required in a password when changed.

PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a minimum of N lower-case characters are required in a password when changed.

PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum of N digit characters are required in a password when changed.

PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum of N special characters are required in a password when changed.

Default value: The default for each of these parameters is zero."

Pete

Re: HPUX Security - Password complexity

FLQ — Mon, 28 Feb 2005 22:08:52 GMT

Thanks Mr. Randall,

these settings look sufficient for the policies we want to enforce for the password.

I will install the patch PHCO_24606 on a test system and validate that I can deploy safely.

But I'm still wondering why "abc123" is a valid password on a system that is supposed to be C2-compliant after being put in Trusted Mode.

Francis

Re: HPUX Security - Password complexity

John Payne_2 — Mon, 28 Feb 2005 22:47:35 GMT

Francis,

Sometimes 'compliance' means you have to do a couple of manual steps to fully become compliant. (Compliance = Able to make compliant. ;) )

In your case, adding some of the rules Pete pointed out should get you there.

P.S. I don't think you have to call him "Mr. Randall", Pete will do. I certainly don't wantanyone calling me Mr. Payne.

John

Re: HPUX Security - Password complexity

Bill Hassell — Mon, 28 Feb 2005 22:56:07 GMT

The Department of Defense's Trusted Computer System Evaluation Criteria (TCSEC) describes the different levels (A,B,C,D) and criteria for security. The password complexity issues (ie, freedom given to the user to pick trivial passwords) is sidestepped in the document CSC-STD-002-85 Password Management Standard (
http://security.isu.edu/pdf/cscst285.pdf ) by stating that all user passwords should be computer generated (an option in a Trusted system). So if you set a security policy that does not allow user-generated passwords, your initial password problem is solved. HP documents some of the details in http://docs.hp.com/en/B2355-90121/ch01s05.html

For subsequent password generation, you can control trivial password choices with the /etc/default/security file options (man security):

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=10
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=2

The above entries will fail all simple passwords like abc123 or even 4321abcd. Because the above settings require lower and UPPER case plus numbers and special characters, the user is severely constrained on trivial choices.

Note: Making passwords very long (minimum greater than 8 chars) and very complex, and requiring monthly changes brings in a totally different security issue: human nature. Using the above rules, the password:

AbCd12%&

will meet the minimum requirements but users will find it difficult to remember and this brings in an even worse scenario: yellow stickys and PDAs with lists of passwords. While the goal is to make guessing passwords difficult, if you go too far, then the passwords start appearing in unsecure locations, especially with sysadmins or DBAs that have responsibilities for many systems.

So there is a fine line between preventing trivial password creation and undesired user behavior. Casual users will simply call the helpdesk and ask for a new password. Eventually, highly intrusive rules get overruled and simplified by upper management.

Re: HPUX Security - Password complexity

Darren Prior — Tue, 01 Mar 2005 05:07:32 GMT

Hi,

In addition to previous comments, you can also manually add unsuitable passwords to the spell(1) dictionary and then enable dictionary checks. There's info on adding words in the man page for spell(1).

regards,

Darren.

Re: HPUX Security - Password complexity

FLQ — Thu, 10 Mar 2005 23:29:54 GMT

I did not realize how busy I was... :-(

John, I understand that I will have to do manual steps...but triviality checks should have rejected that kind of password.

Using the different variables available did the trick.

Bill, thank you for providing the link to Password Management Standard, very interesting document.

The man pages that I have on my systems don't contain the PASSWORD_MIN_type_CHARS definition.

Token authentication ( SecureID ), biometrics, etc...

Darren, I already tried that but would be a tedious task to maintain. Not a solution.

Thank you all

Francis

Re: HPUX Security - Password complexity

Steven E. Protter — Thu, 10 Mar 2005 23:37:30 GMT

Francis,

Probably the policy is a little more complex than required.

I read this thread carefully and the efforts were excellent. My colleagues deserve the 10 seconds it will take to assign them points.

0 for me.

Good luck with your issue.

Steven

Re: HPUX Security - Password complexity

Jan van den Ende — Fri, 11 Mar 2005 02:25:56 GMT

Francis,

Darren, I already tried that but would be a tedious task to maintain. Not a solution.

Yes it is _THE_ solution!

You can make it VERY simple by just using a complete dictonary (or even 2 different language dictionaries merged; for us Dutch & English).
Any "special" words, such as company-specific abbreviations, your business lingo, etc, are then all you have to maintain.

While not on HPUX, THAT is what we are using, it works great & costs little effort.
I would not expect HPUX to behave greatly different!

Proost.

Have one on me.

Jan

Re: HPUX Security - Password complexity

Bill Hassell — Fri, 11 Mar 2005 07:42:05 GMT

You wrote:

> The man pages that I have on my systems don't contain the PASSWORD_MIN_type_CHARS definition.

Most likely, this is an 11.00 system that may not be up to date on patches, specifically security patches. If you haven't done so yet, download the security_patch_check program from http://software.hp.com and run a check on all your systems. This program also has the side benefit of checking patch consistency (all, not just security). The otheruseful tool in patch management is check_patches, useful after any major patch update.

Re: HPUX Security - Password complexity

Ranjith_5 — Fri, 11 Mar 2005 08:54:31 GMT

Hi Francis,

I have set the following in my /etc/default/security file.

PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=ADMIN
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=1
UMASK=077
PASSWORD_MAXDAYS=30
PASSWORD_MINDAYS=5
PASSWORD_WARNDAYS=7

The explanation for all the above is given in the man page very clearly.

You cam also see the following link.

http://docs.hp.com/en/B3921-90010/security.4.html

Regards,
Syam

Re: HPUX Security - Password complexity

Ranjith_5 — Fri, 11 Mar 2005 08:58:36 GMT

One More thing..

On HP-UX 11.0, in order to take advantage of the /etc/default/security settings, the patch PHCO_26089 must be installed. In the later versions patch is not required.Mine is a higher version and I am able to get the functionality without loading this patch.

Regards,
Syam

Re: HPUX Security - Password complexity

Amitava_HP-UX — Thu, 25 May 2006 00:12:59 GMT

I want to exclude root user from this complexity setting. How can i do it?

Re: HPUX Security - Password complexity

Bill Hassell — Thu, 25 May 2006 08:48:07 GMT

You can run SAM and modify the root user security settings. Note that this is considered to be bad sysadmin practice since the root user is so powerful. All security attacks on your system will be to obtain root privileges, so weak password rules for root will make this attack much easier for a hacker.

Re: HPUX Security - Password complexity

Amitava_HP-UX — Thu, 25 May 2006 09:19:30 GMT

I could not find any such settings like password complexity in SAM, Pls let me know if any other way is there.

Re: HPUX Security - Password complexity

Bill Hassell — Thu, 25 May 2006 18:25:05 GMT

The command is /usr/lbin/modprpw but you probably do not have the man page for this command on 11.00. It's a pain to go through all the options anyways. You change the password options in SAM by selecting:

Accounts for users --> Users

Then scroll down to the root user, highlight it by pressing return, then select Actions at the top menu and pick Modify. You may get a warning message so select Yes to continue. Then tab down to Modify Password Options... and make your changes for root.