SMSE may offer many of the features provided by TCB but the shadow password system, even with SMSE installed, lacks some of the very significant security features of TCB - and, even with the latest release of 11.31, this is still the case.
Basically, shadow password does NOT enforce all of the attributes defined in /etc/default/security for the root user (for either the root user password or non-root user passwords changed by the root user).
While the HP-UX Security Management guide states repeatedly that the attributes configured in this file are system-wide the security(4) man page advises that some attributes only apply to non-root users (ie, ALLOW_NULL_PASSWORD, MIN_PASSWORD_LENGTH and PASSWORD_MIN_type_CHARS). All of these attributes are, however, enforced for the root user on a system using TCB.
With TCB being deprecated in 11.31 I first asked HP more than a year ago to provide the OPTION of enforcing all password policies for the root user as we have a legal requirement for these and cannot change to shadow password without them.
Initially HP declined this enhancement request (even though we could not ever legally use 11.4x without it) but I persisted with my request and, last month, I finally received advice that this OPTION will be provided in a future release of 11.31 - at this stage it is expected to be available sometime in 2011.
Kathy
PS: Sorry about my previous post - I meant to select the preview option to see if I could include text in italics but I accidentally clicked on submit instead. :(
