topic Re: Using Password History without being a Trusted System in Operating System - HP-UX

Using Password History without being a Trusted System

Mark VineGar — Wed, 25 Sep 2002 12:51:38 GMT

Is there a way in HP-UX 11x to use password history so users cannot change their password to a the last 3 or 4 previous passwords? I know this can be done if you HP is converted to trusted, but is there a way to do this without being a trusted system?

Thanks
Mark

Re: Using Password History without being a Trusted System

James R. Ferguson — Wed, 25 Sep 2002 13:06:13 GMT

Hi Mark:

Sorry, the password history feature is available only for trusted systems. See the "security features" of the man page for 'passwd(1)'.

Regards!

...JRF...

Re: Using Password History without being a Trusted System

Roger Baptiste — Wed, 25 Sep 2002 13:09:29 GMT

Hi,

I am not sure whether this can be done on a nontrusted system. But, you can do password aging on a non-trusted system by inserting special characters after the passwd entry in the passwd file. This is specified in the man page of passwd. eg:The characters used to represent "digits" are . for 0, / for 1, 0
through 9 for 2 through 11, A through Z for 12 through 37, and a
through z for 38 through 63.

Password aging is put in effect for a particular user if his encrypted
password in the password file is followed by a comma and a nonnull
string of characters from the above alphabet. (Such a string must be
introduced in the first instance by a superuser.) This string defines
the "age" needed to implement password aging.

The first character of the age, M, denotes the maximum number of weeks
for which a password is valid. A user who attempts to login after his
password has expired is forced to supply a new one. The next
character, m, denotes the minimum period in weeks that must expire
before the password can be changed. The remaining characters define
the week (counted from the beginning of 1970) when the password was
last changed (a null string is equivalent to zero). M and m have
numerical values in the range 0 through 63 that correspond to the 64-

**
Also, have a look at SAM and the user section to check whether it has the options. Normally, SAM is a good clue to see what options the system provides in these sort of cases.

HTH
raj

Re: Using Password History without being a Trusted System

Tom Maloy — Wed, 25 Sep 2002 13:09:33 GMT

Check out "man security".

In /etc/default/security, you can set

PASSWORD_HISTORY_DEPTH=9

Allowed values are 1 to 10.

Tom

Re: Using Password History without being a Trusted System

Telia BackOffice — Wed, 25 Sep 2002 13:13:24 GMT

look at :
man 4 security

the thing you are looing for is :
PASSWORD_HISTORY_DEPTH
This parameter controls the password history depth. A new password is checked only against the number of most recently used passwords stored in password history for a particular user. A user is not allowed to reuse a previously used password.

BR,
Jannik

Re: Using Password History without being a Trusted System

Darren Prior — Wed, 25 Sep 2002 13:24:30 GMT

Sorry Mark,

Although security(4) discusses this feature, it is not valid unless the system is trusted. See passwd(1) for info.

There's quite a few threads discussing the benefits and problems of trusted systems to help you decide whether you should change your system to trusted.

regards,

Darren.

Re: Using Password History without being a Trusted System

Joaquin Gil de Vergara — Wed, 25 Sep 2002 13:27:01 GMT

note that /eyc/security exists only in HP-UX 11i (not in 11.0) and the PASSWORD_HISTORY_DEPTH is only supported in a trusted system!

The password history depth configuration is on a system
basis and is supported in trusted system for users in
files repository only. This feature does not support
the users in NIS or NISPLUS repositories. Once the
feature is enabled, all the users on the system are
subject to the same check. If this parameter is not
configured, the password history check feature is
automatically disabled. When the feature is disabled,
the password history check depth is set to 1.

Re: Using Password History without being a Trusted System

Shannon Petry — Wed, 25 Sep 2002 14:37:13 GMT

Well the beauty of Unix is that there are many ways to skin the proverbial cat ;)

This being said, you can be creative and try the following steps on a non-production box.

1. Write a script which will replace the binary program "passwd".
The script needs to do the following.
a. set and create a file with the encrypted string for any user.
b. adjust this file size to trim the top line from itself when the max history has been reached.
c. call the real passwd file that would be replaced with something like passwd.bin
d. before closing log the new encrypted string from /etc/passwd to the history file.
2. rename the real passwd binary to whatever you will call in your script.
3. rename your script as passwd, and set exact permissions and owner ship to it as the real passwd file.

PROBLEMS: Of course there are lots of them that could occur, but there is a way to see if a program is called interactively or not. perhaps build in a safety and fall through the script if it is not an interactive call.
Obviously this will not work with yppasswd, or any other program of that type.

Dont know if it would work as I never tried, however I have replace many other binaries on systems with my own scripts for many different reasons.

Regards,
Shannon

Re: Using Password History without being a Trusted System

Shannon Petry — Wed, 25 Sep 2002 14:38:52 GMT

Forgot to add an important item to "d" in the script functionality list.
d. should not only add the string to passwd, but first check to see if it already exists. If it exists then warn the user, and loop back to your passwd again. Once the user enters a password that does not generate the same salted string fall through that loop.

Shannon

Re: Using Password History without being a Trusted System

Darren Prior — Wed, 25 Sep 2002 14:41:03 GMT

Shannon,

Great cat skinning ;-) , but I believe that a plaintext password could encrypt to different encrypted strings due to the salt. This might make it tricky to compare the encrypted strings.

regards,

Darren.

Re: Using Password History without being a Trusted System

Mark VineGar — Wed, 25 Sep 2002 15:28:39 GMT

Thanks everyone for all the input. It appears that the answer is NO unless we convert to Trusted or write script as Shannon suggest.

Mark

Re: Using Password History without being a Trusted System

Shannon Petry — Wed, 25 Sep 2002 16:19:09 GMT

Yeah, for the bit more complex then use perl as you can work with the unslated plain text password and let perl crypt it for you!

Use an unsalted crypt to store the passwords and make the comparison that way!

To the experienced programmer I dont think this would be too much work. Im not fluent in perl past simple web forms and tidy scripts so cant offer any pointers for a script like this in perl.

Regards,
Shannon

Re: Using Password History without being a Trusted System

Darrell Allen — Wed, 25 Sep 2002 17:12:01 GMT

Hi all,

I believe you will find that if the salt and the plaintext password are always the same, the encrypted password will always be the same as well. That's my experience. Further, it will be the same whether on HP-UX, Solaris, or AIX since it's a UNIX thing.

Try playing around with the following (where "password" is to be crypted using "Y7" as the salt):
echo passwordY7 | /usr/lbin/makekey

I think you'll always get Y7mVtdV.zWazc as the result.

That being the case, your password history checking script would need to get the salt from each encrypted password in the history list, use each of those salts to encrypt the new password, and compare each result to those in the list.

To truly emulate passwd you need to randomly select the salt. man makekey for more info.

In the end, I'd rather just convert to a trusted system than to mess around with passwd.

Darrell

Re: Using Password History without being a Trusted System

Deshpande Prashant — Wed, 25 Sep 2002 17:32:29 GMT

HI Mark
Converting system to trusted will be better and easy wayt to achive password history option. Is there any reason you are avoiding using trusted systems?

You can use the "PASSWORD_HISTORY_DEPTH" parameter on 11.x systems.

Thanks.
Prashant.

Re: Using Password History without being a Trusted System

doug hosking — Thu, 26 Sep 2002 08:24:56 GMT

Joaquin wrote:
"note that /eyc/security exists only in HP-UX 11i (not in 11.0) and the PASSWORD_HISTORY_DEPTH is only supported in a trusted system!"

Actually, the original reason for the creation of /etc/default/security was to support the addition of this history feature in 11.00. While the original version of 11.00 did not support the history feature, patches PHCO_13808 and PHCO_13809 added support for it (and the /etc/default/security file) in 11.00. Joaquin is correct that this feature is currently supported only on trusted system configurations of HP-UX.

Re: Using Password History without being a Trusted System

Joaquin Gil de Vergara — Thu, 26 Sep 2002 08:55:28 GMT

ok

thank uoy for the correction :-)