HPE Community
Operating System - HP-UX
1837191 Members
2496 Online
110114 Solutions
New Discussion

Re: Customizing Security settings-HPUX 11.23

 
SOLVED
Go to solution
Jim Poplawski
Advisor

‎05-30-2007 04:02 AM

‎05-30-2007 04:02 AM

Customizing Security settings-HPUX 11.23

Folks,
Our customer is requesting some changes to our security settings. We are running HP-UX 11.23 in trusted mode. I'm not sure I agree with what they want, but first, what is possible in what they asked.
First, they want to change the "invalid login" string that comes up when a user has a wrong password or the account is locked. I haven't seen a file that has the text that displays for those prompts, so I'm assuming that it's not possible. Am I correct ?
Secondly, they want * to print when the user types their password instead of not echo-ing anything. (darn windows bigots)
They also want a max of 3 invalid logins before kicking you out. I see the parameter in SAM to set for that for modems/terminals, (and that is set) but it says that does not apply to network sessions. Do I need to play with the login timeout setting to get it to line up or is there another setting?
Thanks
Jim
0 Kudos
9 REPLIES 9
A. Clay Stephenson
Acclaimed Contributor

‎05-30-2007 04:12 AM

‎05-30-2007 04:12 AM

Solution

Re: Customizing Security settings-HPUX 11.23

Without writing custom code, the only one of these that is "doable" is setting the maximum unsuccessful login attempts. This can be set on either a user-by-user basis or on a system-wide basis. If the umaxlntr value is defined for a user it takes precedence over the system-wide value. The value can be changed using modprpw. Man getprpw and modprpw for details.
If it ain't broke, I can fix that.
0 Kudos
Patrick Wallek
Honored Contributor

‎05-30-2007 04:14 AM

‎05-30-2007 04:14 AM

Re: Customizing Security settings-HPUX 11.23

Request 1 - Change "invalid login" -- NOT POSSIBLE as far as I know.

Request 2 - print *'s when entering passwords -- NOT POSSIBLE as far as I know.

Request 3 - max 3 invalid logins before kicking you out -- NOT POSSIBLE as far as I know.

I think the only way to do these things would be to write a custom login program or PAM module.

0 Kudos
Patrick Wallek
Honored Contributor

‎05-30-2007 04:18 AM

‎05-30-2007 04:18 AM

Re: Customizing Security settings-HPUX 11.23

I stand corrected on request 3. That does work (as if I'd expect anything less from Clay!).

0 Kudos
Jim Poplawski
Advisor

‎05-30-2007 04:21 AM

‎05-30-2007 04:21 AM

Re: Customizing Security settings-HPUX 11.23

Sorry, to clarify item 3, it's not necessarily 3 invalid attempts from 1 particular id, it's 3 from that login session. So if I try userid Joe with a bad userid or password and then Mary and then Sam, then the session should close.
thanks for the VERY quick responses.
0 Kudos
Bill Hassell
Honored Contributor

‎05-30-2007 04:34 AM

‎05-30-2007 04:34 AM

Re: Customizing Security settings-HPUX 11.23

> "invalid login" ... am I correct?

Yes. There is no customization mechanism. This message is hard coded in the program.

> want * to print

Again, no mechanism exists to change this. The stty command allows echo or no-echo but no translation.

> 3 invalid logins ...

From the login man page:
"After three unsuccessful login attempts, a HANGUP signal is issued."

On a trusted system, /usr/lbin/modprdef is the UNDOCUMENTED command that accomplishes such changes. SAM calls this command so when you change the login retry count, parameter umaxlntr is used, and for timeout until user can try again, the value is dlylntr. The SAM log shows the actual command so you can guess the meaning of the parameters by changing a number and seeing the resultant command line.


Bill Hassell, sysadmin
0 Kudos
Torsten.
Acclaimed Contributor

‎05-30-2007 04:50 AM

‎05-30-2007 04:50 AM

Re: Customizing Security settings-HPUX 11.23

BTW - while talking about security AND telnet ...

Using telnet is the security hazard, isn't it?

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Jim Poplawski
Advisor

‎05-30-2007 05:09 AM

‎05-30-2007 05:09 AM

Re: Customizing Security settings-HPUX 11.23

Right now it's a pretty closed network, but we're also moving to ssh, sftp, etc to take that out of the picture as well.
thanks!
0 Kudos
Jim Poplawski
Advisor

‎05-30-2007 07:32 AM

‎05-30-2007 07:32 AM

Re: Customizing Security settings-HPUX 11.23

Got some test time today, and the parameter you can set in SAM to set the number of invalid logins for modems/terminals also works for telnet and ssh sessions as well.
Thanks to all for your assistance on this.
0 Kudos
Jim Poplawski
Advisor

‎06-04-2007 07:13 AM

‎06-04-2007 07:13 AM

Re: Customizing Security settings-HPUX 11.23

Folks,thanks for all the feedback.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.