Operating System - HP-UX
1748127 Members
3897 Online
108758 Solutions
New Discussion юеВ

Re: force passwds characteristics

 
p7
Frequent Advisor

force passwds characteristics

hi all

auditers came in, they want us to force the users to use more complex passwords than what they are currently using (simple, 1234,etc).
is there a way in regular unix (without trusted or a 3 party product) to do this?

thx in advance
7 REPLIES 7
Steven E. Protter
Exalted Contributor

Re: force passwds characteristics

Shalom,

/etc/default/security

example

MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Patrick Wallek
Honored Contributor

Re: force passwds characteristics

What version of HP-UX are you running?

If you are being audited, I'm surprised the auditors didn't ding you for not being trusted. ALL applications should work with trusted systems.

If you are HP-UX 11.11 or higher, do a 'man security'. This will give details of settings that can be used with the /etc/default/security file.

Things to look at are: password_history_depth, min_password_length, password_min_uppercase_chars, password_min_lowercase_chars, password_min_digit_chars and password_min_special_chars.

Setting these in /etc/default/security should do what you require. Be sure to read carefully, though, as some options MIGHT require your system to be trusted.
Fat Scrape
Honored Contributor

Re: force passwds characteristics

Hi Pasquale,

see passwd man page for more information

Fat
rmueller58
Valued Contributor

Re: force passwds characteristics

Is your system trusted or untrusted?

For HP/UX you can change the parameters for security from within SAM
--Auditing and Security
-- System Security Policies

There are four selections you can go into and modify..
Password Format Policies
Password Aging Policies
General User Account Policies
Terminal Security Policies

I believe on a trusted system you have to modify a different file then /etc/default/security

Each user has a /tcb/files/auth/?/username file that contains rules and history related to login. It is best on a trusted system to modify the default parameters from within SAM.



Most of these are fairly self explanatory. If your system contains just a basic install and you haven't updated with patches, you may want to do so, also make sure you check that you have an updated version of SSH. We have 11.11 and had problems with the SSH version installed not handshaking correctly with PAM.

Bill Hassell
Honored Contributor

Re: force passwds characteristics

Although the man page for security will help, most of the options do not apply for a "regular" HP-UX system, that is, not Trusted. The man page for passwd tells you the limitations for an untrusted system.

It's a good thing your auditors are recommending converting to a Trusted system since you will then meet the security requirements and have a much safer system.


Bill Hassell, sysadmin
hpguys
New Member

Re: force passwds characteristics

Hi I also have such problem, our HP-UX is trusted mode, but I cannot find the /etc/default/security, is it created by root user? If created and added setting on it, can HP-UX will update the config automactically?

Thanks in advance
Bill Hassell
Honored Contributor

Re: force passwds characteristics

/etc/default/security never exists on a new system -- you must create it (as root). It should be owned by root:sys and have permissions of 600 (ie, no permissions except for the owner).

Here is a sample with a bunch of comments. NOTE: whether a feature exists or not depends on OS version and patches. Use your system's man page for security as the guide. Note also that the security file is parsed such that a # character appearing anywhere on the line (first, middle, last, etc) causes the line to be ignored. Also, if a setting is misspelled or has an invalid setting, it is silently ignored, so you must test each feature.

# Security file: /etc/default/security -- 11.00 and higher only

# Note: the contents of the security file are only meaningful
# at specific versions of HP-UX and security patches.
# And at 11.23 2005, a product called "Standard Mode Security Extensions"
# was created and adds additional security features to a non-Trusted
# system. So the only accurate documentation as to the working options
# in the security is: man security


# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

# PASSWORD_MAXDAYS=120
# PASSWORD_MINDAYS=7
# PASSWORD_WARNDAYS=7

# Session controls
##################

SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
UMASK=022
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD


Bill Hassell, sysadmin