topic Re: password issue in Operating System - HP-UX

password issue

Gary Yu — Tue, 22 Oct 2002 15:15:38 GMT

Hi all,

We have a dev server accessed by more than 20 users, some of them just use "password" or their username as password. Is there a way in HPUX 11.0 that we can enfoce some password rule(like in Win2000), which won't allow users to choose password which don't have numbers and Captical letters ? Or as a root user, is there any way I can detect user's password is "password" or username.

BTW, we're not running a trusted system.

thanks,
Gary

Re: password issue

RAC_1 — Tue, 22 Oct 2002 15:16:25 GMT

check man page for security.

you can put security file in /etc/default dir.

It will give you some control on passwords.

(trusted system is better option)

Re: password issue

Ashwani Kashyap — Tue, 22 Oct 2002 15:19:27 GMT

Best way is to convert to trusted system

Re: password issue

Ken Hubnik_2 — Tue, 22 Oct 2002 15:20:21 GMT

You can also convert the system to trusted and it opens up all kinds of new password rules.

Re: password issue

A. Clay Stephenson — Tue, 22 Oct 2002 15:20:22 GMT

If you are not a trusted system then this is a more difficult task. My tried and true method for this is to code my own passwd (and/or yppasswd if you are also running NIS) and put in your own rules. My standard rule is to strip numerics and special characters and then set the plaintext to spell. If spell says that it is a good word, I reject it.

There is no way to decrypt the user's password because it is not encrypted; it's actually hashed meaning that there is a many to one relationship between the plaintext and the encoded passwd. You can download and install 'crack' from any of the HP-UC Porting Centre's; it makes repeated guesses until it's hashed passwd matches that found in the passwd file.

Re: password issue

Bill Hassell — Wed, 23 Oct 2002 01:47:28 GMT

As mentioned, going to a Trusted system is the only way. It sounds like you have a potential security problem with trivial passwords, so trying to kludge a fix with a standard system isn't going to be effective. The man page for security is missing to 11.0 so you can get it from docs.hp.com BUT:

- it has no effect unless you are up to date on patches (and 2002 patch bundle will do)

- only the libpam patch readme file plus the man page for security will have all the options.

There is no history possible (to prevent re-use) without a Trusted system but you can at least enforce some restrictions on choosing a password.

Re: password issue

doug hosking — Wed, 23 Oct 2002 19:46:19 GMT

You might be intersted in a new feature described in patch PHCO_24390. This
allows you to force passwords to have various combinations of digits or upper case, lower case and special characters. See the patch documentation file for details.