topic Re: Password Strengthening 2 in Operating System - HP-UX

Password Strengthening 2

Fabrizio Tedone — Tue, 15 Jun 2004 05:25:22 GMT

Hello,
following the suggestions I've found in the Password Strengthening thread, I'm try to implement some password checks, specifically minimum password length and history depth.
I know there is a way to implement this using /etc/default/security file, but when I do 'man security' on my system (HP-UX 11),
I get no manual entry for security. What I'm doing wrong ? Thanks

Re: Password Strengthening 2

Ken Penland_1 — Tue, 15 Jun 2004 05:31:23 GMT

As an example, our security file looks like this:

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=3
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

I found this to also assist you:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/5187-2783/5187-2783_top.html&con=/hpux/onlinedocs/5187-2783/00/01/127-con.html&toc=/hpux/onlinedocs/5187-2783/00/01/127-toc.html&searchterms=security&queryid=20040517-105549

Re: Password Strengthening 2

Pete Randall — Tue, 15 Jun 2004 05:35:26 GMT

Go here:

http://docs.hp.com/hpux/onlinedocs/B2355-90696/B2355-90696.html

Then click on "volume 8", which will give you "Section 4 - File Formats". Under the "s" section, you will find the man page for "security".

Pete

Re: Password Strengthening 2

Bill Hassell — Tue, 15 Jun 2004 07:43:46 GMT

The section 4 man page for security is missing in 11.0 and various security patches will implement new keywords in /etc/default/security. The docs.hp.com man page is up to date and most features listed will work on 11.0.

However: you need to be up to date on security patches. You need to test each parameter setting to see if it works because there is no error log for misspelled or unimplemented keywords. Comments must start with # in column 1. Trailing # characters will cause the entire line to be ignored. Here's a sample security file with lots of comments:

# Security file: /etc/default/security
# man security

# Features depend on HP-UX rev and patches. Not all features are
# available on older systems.
#
# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

# PASSWORD_MAXDAYS=120
# PASSWORD_MINDAYS=7
# PASSWORD_WARNDAYS=7

# Session controls
##################

SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
UMASK=022
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD

Re: Password Strengthening 2

Fabrizio Tedone — Tue, 15 Jun 2004 07:52:17 GMT

Thanks Bill (and thanks Pete and Ken too).
So my understanding is that security file works either in not-trusted or trusted system; am I right ? I just need to create the file and switch to trusted system to implement the checks I need, right ? Finally, from you example file I see that I can implement also a basic alphanumeric check on the password, using PASSWORD_MIN_DIGIT_CHARS: if this keyword is missing only letters are allowed in the password ? Thanks again!

Re: Password Strengthening 2

Pete Randall — Tue, 15 Jun 2004 08:34:45 GMT

Fabrizio,

Yes, all your understandings are correct.

Pete

Re: Password Strengthening 2

Bill Hassell — Tue, 15 Jun 2004 10:54:59 GMT

/etc/default/security is recognized in an untrusted system but VERY FEW options will work. For untrusted, no password history, password length max is 8, no limit on number of logins, and so on. There is no /tcb database structure for these elements.

Re: Password Strengthening 2

Fabrizio Tedone — Fri, 18 Jun 2004 05:41:30 GMT

But in trusted systems, it is possible to define NUMBER_OF_LOGINS_ALLOWED with different values depending on the user ?
thanks!

Re: Password Strengthening 2

Bill Hassell — Fri, 18 Jun 2004 07:28:05 GMT

The /etc/defaults/security file is a global settings file. Any limit in that file applies to all users. You'll see in the man page for security that there are no options for individual user logins except BOOT_USERS and implicit userlogins for the SU_ROOT_GROUP. Tjhe man pages for modprpw and prpwd will detail what can be specified for a specific user.

In a Trusted system, you do have the ability to limit when a specific user can login but not how many times. To control user logins (not ftp or 'r' commands like remsh) you can call the attached script in /etc/profile (and rewrite for /etc/csh.login if you have csh users). This code assumes that you have created a file called /etc/login.limit which has 1 user login per line followed by the number of logins allowed. If the number is missing, the value is unlimited and root is not restricted.