System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Login does not require password

Venkatesan_5
Frequent Advisor

Login does not require password

I have an ESM report stating that 'Login does not require password" for all accounts in hpux11.31. I compared the /etc/default/security with other system as well. Both are identical.. what could be the issue?
6 REPLIES
Rita C Workman
Honored Contributor

Re: Login does not require password

Does the system allow for remote login (ssh or rlogin)?

That may be what they are complaining about, however, technically the user did have to login initially to gain access. Using ssh is more secure, since it encrypts. If you have users secluded to only the boxes they are entitled access to, then you should state that in your responding report.

One thing security consultanting company reports like to do is throw up giant screams of doom and disaster to justify the ridiculous amount of money they are charging - and the only issue is remote login from a user that already justified access a server and has already logged in on another (also justified) server.

Just a thought,
Rita
Horia Chirculescu
Honored Contributor

Re: Login does not require password

In order to find out what it is going on, you could enable debugging on pam module, by adding the option "debug", then check syslog at LOG_DEBUG level.

Best regards,
Horia.
Best regards from Romania,
Horia.
Alzhy
Honored Contributor

Re: Login does not require password

Maybe RSA SecurID enabled on the accounts -- hence password is NULL as authentication will be handled by RSA? We used to have our 11.11 environments set up this way.
Hakuna Matata.
Venkatesan_5
Frequent Advisor

Re: Login does not require password

As per Rita, I checked the file /etc/inetd.conf and found that the rlogin entry is been enabled

I have disabled the entry and asked the security personnel to scan the server and provide the updated report. will wait for that and let you guys know. Thanks for your replies.
Alzhy
Honored Contributor

Re: Login does not require password

Oh so your users are employing .rhosts trusts eh? I thougths you indeed have user accounts with NULL passwords and have a 2nd layer of auth...


It is really best to just disable rlogind and rexecd in inet.



Hakuna Matata.
Venkatesan_5
Frequent Advisor

Re: Login does not require password

Hi Alzhy,
We use ERM to logon to the servers.

A question to all,
I have some queries pertaining to security risk of this item.

1. How could external / internal users exploit this risk if they were aware about this entry is enabled in /etc/inetd.conf

2. In the normal login procedure using ERM would the user have noticed â â Now I donâ t need to use password anymore!â