Community
System Administration
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

System wide password Format on Trusted System 11.11?

SOLVED
Go to solution
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 06:01 AM

‎09-29-2009 06:01 AM

System wide password Format on Trusted System 11.11?

We are looking at ways to improve password policies.

I see parameters in:
/tcb/files/auth/system/
default:

I want to know is there a way to define parameters, to set password format
and minimum length?

We would like to set a minimum password length and force the use of a alpha/numeric/character mix.


Can someone explain or suggest ways to enforce "minimum length" and "format requirements" (such as alpha/numeric/characters)

I see in SAM you can make the system
GENERATE
- Pronouncable
- Character
- Letters Only
- User Specifies

DO you procedurally use "User Specifies" and ask the User to use a mix ? Or is there a way when the user resets there password to require the specify a minimum format requirement?

And a minimum length?

Replies, links, ideas all appreciated.


0 Kudos
14 REPLIES
Mel Burslan
Mel Burslan
Honored Contributor

‎09-29-2009 06:05 AM

‎09-29-2009 06:05 AM

Solution

Re: System wide password Format on Trusted System 11.11?

did you check /etc/default/security file yet ?

here is how mine looks:

[root@nomad:/root]
# ll /etc/default/security
-r--r--r-- 1 bin bin 2538 Oct 31 2007 /etc/default/security
[root@nomad:/root]
# grep -v ^# /etc/default/security | grep -v ^$
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MAXDAYS=91
PASSWORD_MINDAYS=1
PASSWORD_WARNDAYS=7
SU_ROOT_GROUP=sysadm

________________________________
UNIX because I majored in cryptology...
0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 06:07 AM

‎09-29-2009 06:07 AM

Re: System wide password Format on Trusted System 11.11?

Mel,

this is a trusted 11.11 system.. I do not have
the /etc/default/security file..
0 Kudos
Hakki Aydin Ucar
Hakki Aydin Ucar
Honored Contributor

‎09-29-2009 06:16 AM

‎09-29-2009 06:16 AM

Re: System wide password Format on Trusted System 11.11?

Did you check the ;

/tcb/files/auth/system/default

BTW ; The file in question is /etc/default/security does not exist by default. But if we create it, we can use a variable called

PASSWORD_HISTORY_DEPTH:3

In this case, a new password is checked against the last three passwords. If the new password is the same as a previous password, the user must choose a different one. Password histories are stored in files under the directory /tcb/files/auth/system/pwhist:
0 Kudos
James R. Ferguson
James R. Ferguson
Acclaimed Contributor

‎09-29-2009 06:18 AM

‎09-29-2009 06:18 AM

Re: System wide password Format on Trusted System 11.11?

Hi:

You might want to consider that Trusted Systems are deprecated with 11.31 and will not be supported in successive releases.

As Mel pointed out, the '/etc/default/security' file (and shadow passwords) are part of the basis for future security enhancements in HP-UX. You might want to consider beginning this transition.

For 11.11 the Shadow Password product can be obtained here:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Regards!

...JRF...
0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 06:54 AM

‎09-29-2009 06:54 AM

Re: System wide password Format on Trusted System 11.11?

So, will the /etc/default/security work on the trusted system?

(per JRF) it would require we install the "Shadow Password Depot"?

Does this Depot overlay the tcb/trusted system or do we need to unconvert the trusts?

0 Kudos
Pete Randall
Pete Randall
Outstanding Contributor

‎09-29-2009 07:04 AM

‎09-29-2009 07:04 AM

Re: System wide password Format on Trusted System 11.11?

Yes, it will work on trusted systems. If you don't have one, just create it. You can use Mel's as a template.


Pete

Pete
0 Kudos
Pete Randall
Pete Randall
Outstanding Contributor

‎09-29-2009 07:05 AM

‎09-29-2009 07:05 AM

Re: System wide password Format on Trusted System 11.11?

Oh - and the security man page will guide you on the rest of the parameters.


Pete

Pete
0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 07:07 AM

‎09-29-2009 07:07 AM

Re: System wide password Format on Trusted System 11.11?

Thanks Pete..

I will take a look at both.

0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 07:26 AM

‎09-29-2009 07:26 AM

Re: System wide password Format on Trusted System 11.11?

Thanks All. As usual.. Many thanks.. Wish I could contribute as much as I get back from you all.

0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 09:35 AM

‎09-29-2009 09:35 AM

Re: System wide password Format on Trusted System 11.11?

Are changes made to the /etc/default/security
take prececent over user TCB files or is this
file subservient of tcb security?


0 Kudos
Bill Hassell
Bill Hassell
Honored Contributor

‎09-29-2009 11:42 AM

‎09-29-2009 11:42 AM

Re: System wide password Format on Trusted System 11.11?

/etc/default/security and the /tcb entries are 'merged' together. It is quite painful to try to figure all this out by inspection. Start by creating a complete /etc/default/security file. I have attached a sample here. NOTE: if you do not keep up on patches, some of the items will be ignored. Note also (as the comments state in the file), the "#" character cannot be used on the same line as a desired setting. The code blindly skips any line with # in it.

I have attached a sample security file. In my next post, I have attached a security definition script that will summarize all the settings in your current system.

Note that while Trusted is deprecated for the future, the replacement choices are not as capable. Unless you plan on moving to the next version past 11.31 (not out yet), I would stay with Trusted. Adding Shadow Passwords will be fairly confusing when you see all the limitations.


Bill Hassell, sysadmin
0 Kudos
Bill Hassell
Bill Hassell
Honored Contributor

‎09-29-2009 11:44 AM

‎09-29-2009 11:44 AM

Re: System wide password Format on Trusted System 11.11?

Here is the security settings script. It should give you virtually all of the current settings. SAM is also useful but a lot more cumbersome to locate and set the values.


Bill Hassell, sysadmin
0 Kudos
Hakki Aydin Ucar
Hakki Aydin Ucar
Honored Contributor

‎09-29-2009 12:30 PM

‎09-29-2009 12:30 PM

Re: System wide password Format on Trusted System 11.11?

Hi,

I also recommend that you can read this post as addendum knowledge, I think it is very useful especially the future of Trusted Systems and their disadvantages:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1371250

Regards.
0 Kudos
rmueller58
rmueller58
Valued Contributor

‎09-29-2009 12:36 PM

‎09-29-2009 12:36 PM

Re: System wide password Format on Trusted System 11.11?

Thanks All.

I appreciate the assistance ..
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.