Solved: System wide password Format on Trusted System 11.1...

rmueller58 · ‎09-29-2009

We are looking at ways to improve password policies.

I see parameters in:
/tcb/files/auth/system/
default:

I want to know is there a way to define parameters, to set password format
and minimum length?

We would like to set a minimum password length and force the use of a alpha/numeric/character mix.

Can someone explain or suggest ways to enforce "minimum length" and "format requirements" (such as alpha/numeric/characters)

I see in SAM you can make the system
GENERATE
- Pronouncable
- Character
- Letters Only
- User Specifies

DO you procedurally use "User Specifies" and ask the User to use a mix ? Or is there a way when the user resets there password to require the specify a minimum format requirement?

And a minimum length?

Replies, links, ideas all appreciated.

Mel Burslan · ‎09-29-2009

did you check /etc/default/security file yet ?

here is how mine looks:

[root@nomad:/root]
# ll /etc/default/security
-r--r--r-- 1 bin bin 2538 Oct 31 2007 /etc/default/security
[root@nomad:/root]
# grep -v ^# /etc/default/security | grep -v ^$
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MAXDAYS=91
PASSWORD_MINDAYS=1
PASSWORD_WARNDAYS=7
SU_ROOT_GROUP=sysadm

________________________________
UNIX because I majored in cryptology...

rmueller58 · ‎09-29-2009

Mel,

this is a trusted 11.11 system.. I do not have
the /etc/default/security file..

Hakki Aydin Ucar · ‎09-29-2009

Did you check the ;

/tcb/files/auth/system/default

BTW ; The file in question is /etc/default/security does not exist by default. But if we create it, we can use a variable called

PASSWORD_HISTORY_DEPTH:3

In this case, a new password is checked against the last three passwords. If the new password is the same as a previous password, the user must choose a different one. Password histories are stored in files under the directory /tcb/files/auth/system/pwhist:

James R. Ferguson · ‎09-29-2009

Hi:

You might want to consider that Trusted Systems are deprecated with 11.31 and will not be supported in successive releases.

As Mel pointed out, the '/etc/default/security' file (and shadow passwords) are part of the basis for future security enhancements in HP-UX. You might want to consider beginning this transition.

For 11.11 the Shadow Password product can be obtained here:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Regards!

...JRF...

rmueller58 · ‎09-29-2009

So, will the /etc/default/security work on the trusted system?

(per JRF) it would require we install the "Shadow Password Depot"?

Does this Depot overlay the tcb/trusted system or do we need to unconvert the trusts?

Pete Randall · ‎09-29-2009

Yes, it will work on trusted systems. If you don't have one, just create it. You can use Mel's as a template.

Pete

Pete

Pete Randall · ‎09-29-2009

Oh - and the security man page will guide you on the rest of the parameters.

Pete

Pete

rmueller58 · ‎09-29-2009

Thanks Pete..

I will take a look at both.

rmueller58 · ‎09-29-2009

Thanks All. As usual.. Many thanks.. Wish I could contribute as much as I get back from you all.

rmueller58 · ‎09-29-2009

Are changes made to the /etc/default/security
take prececent over user TCB files or is this
file subservient of tcb security?

Bill Hassell · ‎09-29-2009

/etc/default/security and the /tcb entries are 'merged' together. It is quite painful to try to figure all this out by inspection. Start by creating a complete /etc/default/security file. I have attached a sample here. NOTE: if you do not keep up on patches, some of the items will be ignored. Note also (as the comments state in the file), the "#" character cannot be used on the same line as a desired setting. The code blindly skips any line with # in it.

I have attached a sample security file. In my next post, I have attached a security definition script that will summarize all the settings in your current system.

Note that while Trusted is deprecated for the future, the replacement choices are not as capable. Unless you plan on moving to the next version past 11.31 (not out yet), I would stay with Trusted. Adding Shadow Passwords will be fairly confusing when you see all the limitations.

Bill Hassell, sysadmin

Bill Hassell · ‎09-29-2009

Here is the security settings script. It should give you virtually all of the current settings. SAM is also useful but a lot more cumbersome to locate and set the values.

Bill Hassell, sysadmin

Hakki Aydin Ucar · ‎09-29-2009

Hi,

I also recommend that you can read this post as addendum knowledge, I think it is very useful especially the future of Trusted Systems and their disadvantages:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1371250

Regards.

rmueller58 · ‎09-29-2009

Thanks All.

I appreciate the assistance ..

System wide password Format on Trusted System 11.11?

System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Re: System wide password Format on Trusted System 11.11?

Hewlett Packard Enterprise International