topic Re: Modem Security in Operating System - HP-UX

Modem Security

Rushank — Fri, 18 Jan 2002 16:21:42 GMT

Hello,

I would like to configure a modem for dial-in on D box with 10.20. This is a trusted system and I would like to configure modem with security feature.

The most of the docs on this site explains about /etc/d_passwd and /etc/dialups.
But both the files are not present in this directory. I tried creating d_passwd file passwd -F /etc/d_passwd /usr/bin/ksh without any sucess
A step by step help would be highly appriciated. Also let me know if there is any other security features available for modem.

Thanks in advance

Re: Modem Security

S.K. Chan — Fri, 18 Jan 2002 16:39:14 GMT

To add a single dialup password for any port listed in the /etc/dialups file, perform the following steps:

1. Edit /etc/dialups to add a list of dialin ports for which you want to have a dialup password. For example:

/dev/ttyd0p7
/dev/ttyd0p1

2. Edit /etc/d_passwd to look like:

/usr/bin/sh::comment

where the first field is the shell to be used, the second field is reserved for an encrypted password, and the third field is comment.

3. Add the password to /etc/d_passwd using the following command:

# passwd -F /etc/d_passwd /usr/bin/sh

This prompts for the password.

Re: Modem Security

Rushank — Fri, 18 Jan 2002 17:19:46 GMT

Chan,

I've read this doc, The problem is I don't have these files in my /etc/ directory (d_passwd and dialups) Do I need to creat this file..?

T tried creating d_passwd file and then executed passwd -F option. (passwd -F /etc/d_passwd /bin/sh) I'm getting an error saying invalied login

Re: Modem Security

S.K. Chan — Fri, 18 Jan 2002 17:56:46 GMT

Yes you need to create /etc/dialups and /etc/d_passwd. These files should be owned by root:root and permission 600.

I'm not sure if this would make a difference but try it anyway .. try using /usr/bin/sh in both the d_passwd file entry and the passwd command.

Re: Modem Security

Rushank — Fri, 18 Jan 2002 19:39:46 GMT

I created file d_passwd with touch command with 600 permissions.
and when I run passwd -F /etc/d_passwd /usr/bin/sh I get invalied login

Re: Modem Security

Geno Church — Fri, 18 Jan 2002 20:03:57 GMT

Try this...

The problem lies in the length of the loginname.

ANd there is a patch out that addresses this bug. If you don't have this patch then apply.

PHCO_13734

No reboot is required.

Geno-HP

Re: Modem Security

Rushank — Fri, 18 Jan 2002 21:11:43 GMT

Pacth is already there.. Problem remains..

Re: Modem Security

S.K. Chan — Fri, 18 Jan 2002 21:41:23 GMT

Ok .. try this entry in /etc/d_passwd file instead. This is the "workable" passowrd entry format in HPUX11.x but you're running 10.20...so I'm not sure if this will work but at this point you got nothing to lose.

/sbin/sh::0:0:comment::

Re: Modem Security

S.K. Chan — Fri, 18 Jan 2002 21:42:58 GMT

Sorry it should be ..

/usr/bin/sh::0:0:comment::

Re: Modem Security

Rushank — Fri, 18 Jan 2002 21:53:08 GMT

Hi,

Tried that but when I use passwd -F /etc/d_passwd /usr/bin/sh
I get invalied login name

Re: Modem Security

S.K. Chan — Fri, 18 Jan 2002 22:22:37 GMT

This is what I found out ..

Quote ..
The problem was introduced onto your system with the application of patch PHCO_10274 (superseeded by PHCO_13734). One of the fixes in the patch was for a security problem. In this fix, there was a check added for an 8 character username in /etc/passwd. When dialup security is invoked, login requests an additional password, and checks it against that found in /etc/d_passwd. The command name found in the ``program to use as shell'' field of /etc/passwd is used to select the password to be used. With the SVR4 file system, it
now has path names to shells that exceed the 8 character limit.

The workaround is to use a bogus "program to use as shell".

In /etc/d_passwd you need something like:

shell::comment

Then run passwd:

passwd -F /etc/d_passwd shell

After the password has been changed, edit /etc/d_passwd to have the path to the real shell that you want to use.
Unquote ..

Good Luck

Re: Modem Security

Rushank — Fri, 18 Jan 2002 22:52:55 GMT

Yes that worked.. But how do I add users in this d_passwd file..?

Re: Modem Security

S.K. Chan — Sat, 19 Jan 2002 00:35:34 GMT

Example :-

1) Edit /etc/d_passwd to look something like this list:
shell1::comment
shell2::comment
/usr/bin/sh::comment
Note: Remember, shell1 to 3 is dummy shell. I am assuming you've got the first part done (ie set up /usr/bin/sh line with password)

2) Run ..
# passwd -F /etc/d_passwd shell1
# passwd -F /etc/d_passwd shell2

3) Create links for the users to their shells:
# ln -s /usr/bin/sh /usr/bin/uss1
# ln -s /usr/bin/sh /usr/bin/uss2

4) Edit the /etc/passwd and /etc/d_passwd files so that the shell is listed with the new links:
# vi /etc/passwd
dialup1::111:20:comment,,,:/home/dialup1:/usr/bin/uss1
dialup2::112:20:comment,,,:/home/dialup2:/usr/bin/uss2
# vi /etc/d_passwd
/usr/bin/uss1::comment
/usr/bin/uss2::comment
/usr/bin/sh::comment

Re: Modem Security

Rushank — Mon, 21 Jan 2002 16:04:13 GMT

Why is that I get all garbage when I connect to remote box.?? What is the right cable Modem is connected to serial port of D box (9 -pin) and to modem (25 pin)

Re: Modem Security

harry d brown jr — Mon, 21 Jan 2002 16:11:49 GMT

Rushank,

Have you looked into dial-back modems?

http://rr.sans.org/unix/sec_HPUX.php

live free or die
harry