topic Re: one-time password on HP/UX? in Operating System - HP-UX

one-time password on HP/UX?

Michael_356 — Thu, 06 May 2004 08:18:17 GMT

Hi all,

one item in our security-list is the requirement of an once-per-session password for users, who log into our machines with an insecure connection or protocol.
I've never heard before about this. Is there any software or patch available from HP?
Where in the OS i can set this functionality?

Is there anybody out there, who can remedy my lack of information?
Please help

Thanx in advance
Michael

Re: one-time password on HP/UX?

Stefan Farrelly — Thu, 06 May 2004 08:22:01 GMT

With 11.0 and 11i you have the modprpw command which lets you set things like password lifetime (in days), expiration time (days) and account expiration time (days). As you can see its all in days, so the best you can do is have a password valid for 1 day.

Re: one-time password on HP/UX?

Jairo Campana — Thu, 06 May 2004 08:23:41 GMT

see this documents:

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/4-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/4-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/18-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/18-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/5187-2216/5187-2216_top.html&con=/hpux/onlinedocs/5187-2216/00/00/73-con.html&toc=/hpux/onlinedocs/5187-2216/00/00/73-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

Re: one-time password on HP/UX?

Karthik S S — Thu, 06 May 2004 08:30:11 GMT

Hi Michael,

I am not sure if once-per-session password can be enabled. But if you convert your HP-UX to a trusted system you can configure the password control/ageing to achieve what you want (to certain extent).

Refer:
http://docs.hp.com/hpux/onlinedocs/B2355-90121/00/00/19-con.html

-Karthik S S

Re: one-time password on HP/UX?

Jairo Campana — Thu, 06 May 2004 08:34:18 GMT

security :-)

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/skey-1.1b/

The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks. This system has several advantages compared with other one-time or multi-user authentication systems. The user's secret password never crosses the network during login, or when executing other commands requiring authentication such as the UNIX passwd or su commands. No secret information is stored anywhere, including the host being protected, and the underlying algorithm may be (and it fact, is) public knowledge. The remote end of this system can run on any locally available computer. The host end could be integrated into any application requiring authentication.

Re: one-time password on HP/UX?

Sanjay_6 — Thu, 06 May 2004 08:45:38 GMT

Hi,

I don't think there is anything that you can do on the system to allow you to do this. but before you get to the server you can try something like securID.

Try this link below,

http://www.rsasecurity.com/products/securid/

VPN is another solution.

Hope this helps.

Regds

Re: one-time password on HP/UX?

Bharat Katkar — Thu, 06 May 2004 08:48:46 GMT

In a normal system only way out is to sepcify:
"Password Expiration Time" for the user and don't know how it will help you.
But if your system is trusted this is possible by configuring proper password policy for that user.
See the attached docs for tcb:

Re: one-time password on HP/UX?

Bharat Katkar — Thu, 06 May 2004 08:54:45 GMT

Also take a look at one more doc which talks about password aging in non trusted systems

hope this helps:
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-1335382922+1083851413890+28353475&docId=200000067130219

Re: one-time password on HP/UX?

Michael_356 — Thu, 06 May 2004 09:12:37 GMT

Thanx alot for all your answers.

All of our machines runs in trusted mode,
pw-expiration and -lifetime is set to accurat values for "normal" users but i need a solution for our supporters and suppliers who need temporary access to our system.
The need is an enhanced functionality of pw-expirationtime. One day-password isn't enough in this case, once-per-session-password is the requirement.

thx to jairo, maybe the only way to getz this functionality

Michael

Re: one-time password on HP/UX?

Mel Burslan — Thu, 06 May 2004 10:25:01 GMT

well, if you are the programmer type, I have another suggestion:

in the $HOME/.profile of the userid which will only be allowed to login once in its lifetime, you can put a command to execute an executable program (not a shell script as this will require to be run with setuid bit, aka sticky bit). This command will not be anything more than a c wrapper for command

passwd -l $(who am i| awk {'print $1'})

which will immediately disable the subsequent logins to this account upon first successful login.

Just a suggestion if you can not find a shrink wrapped solution.

Re: one-time password on HP/UX?

Michael_356 — Fri, 07 May 2004 04:07:29 GMT

@mel:

Yes, I AM of this type :-)

Great idea with a small downer:
How to secure the entry in $HOME/.profile?
Maybe i can hide it with an inexpressively name but in every company is ONE person who are a little bit too curious. Better to deny access to some files then to hide it in an accessible file.
Or is it possible, to chown $HOME/.profile to root?

Re: one-time password on HP/UX?

Bharat Katkar — Fri, 07 May 2004 08:38:03 GMT

Or is it possible, to chown $HOME/.profile to root?

No. Instead you use chmod and set SUID bit.

Re: one-time password on HP/UX?

Mel Burslan — Fri, 07 May 2004 11:08:50 GMT

Michael,

I have seen more frequently than not, .profile and other .*rc files being owned by root:sys and functioning well as long as the the permissions are open to be read by anyone, i.e., 444, 644 or 744 permissions. Many times I encountered this root ownership of the skelton files is mainly due to a sloppy previous system admin/builder but it works and that I believe is what matters to you the most.