HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Enforcing more complex passwords...
Operating System - HP-UX
1832877
Members
2507
Online
110048
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2002 12:55 PM
07-02-2002 12:55 PM
Greetings,
Our client has requested that user passwords must include 3 of the following 4 types of characters: uppercase, lowercase, numbers, and special characters. However, according to the man page for passwd, only two groups are required by default (letters and either numbers or special characters).
We're running as a trusted system, and there doesn't seem to be an option in SAM. I also couldn't find an appropriate variable to add to /etc/default/security.
Can I satisfy this requirement through a configuration change, or do I need a third-party tool?
Thanks for your consideration...
~Michael Pasquale
Our client has requested that user passwords must include 3 of the following 4 types of characters: uppercase, lowercase, numbers, and special characters. However, according to the man page for passwd, only two groups are required by default (letters and either numbers or special characters).
We're running as a trusted system, and there doesn't seem to be an option in SAM. I also couldn't find an appropriate variable to add to /etc/default/security.
Can I satisfy this requirement through a configuration change, or do I need a third-party tool?
Thanks for your consideration...
~Michael Pasquale
Solved! Go to Solution.
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2002 01:31 PM
07-02-2002 01:31 PM
Re: Enforcing more complex passwords...
Hi Michael,
Think you can do this with a PAM - Pluggable Authentication Module.
You'd have to modify the std module, write one or purchase it.
If you do a strings | grep password on the /usr/lib/security/libpam.unix.1 file you'll see the following in the output
The password entered is not valid. Valid passwords must contain at least:
So the std module IS checking - it just has to be modified to check using your restrictions.
Maybe someone out there has already done so.
I know there are 3rd party products that will do this.
Rgds,
Jeff
Think you can do this with a PAM - Pluggable Authentication Module.
You'd have to modify the std module, write one or purchase it.
If you do a strings | grep password on the /usr/lib/security/libpam.unix.1 file you'll see the following in the output
The password entered is not valid. Valid passwords must contain at least:
So the std module IS checking - it just has to be modified to check using your restrictions.
Maybe someone out there has already done so.
I know there are 3rd party products that will do this.
Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2002 03:11 AM
07-03-2002 03:11 AM
Solution
Hi Michael,
You can try writing a passwd wrapper for it.
A rough example (you definitely need to test and finetune):
# mv /usr/bin/passwd /usr/bin/passwd.bin
# cat /usr/bin/passwd
#!/sbin/sh
stty -echo
echo "New UNIX password: \c"
read passwd
stty echo
if echo $passwd | grep [0123456789] | grep [a-zA-Z] | grep [!@#$%^&*()_+|] >/dev/null 2>&1
then
echo "This password qualifies. Proceeding..."
/usr/bin/passwd.bin $passwd
fi
Hope this helps. Regards.
Steven Sim Kok Leong
You can try writing a passwd wrapper for it.
A rough example (you definitely need to test and finetune):
# mv /usr/bin/passwd /usr/bin/passwd.bin
# cat /usr/bin/passwd
#!/sbin/sh
stty -echo
echo "New UNIX password: \c"
read passwd
stty echo
if echo $passwd | grep [0123456789] | grep [a-zA-Z] | grep [!@#$%^&*()_+|] >/dev/null 2>&1
then
echo "This password qualifies. Proceeding..."
/usr/bin/passwd.bin $passwd
fi
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2002 07:58 AM
07-03-2002 07:58 AM
Re: Enforcing more complex passwords...
Thank you both very much!!
Since enforcing such complexity is not immediately feasible (i.e., the change can't be made without additional coding/software), our client decided that this issue can wait for the time being.
Thank you both for your input; I'll investigate your suggestions.
Sincerely,
Michael Pasquale
Since enforcing such complexity is not immediately feasible (i.e., the change can't be made without additional coding/software), our client decided that this issue can wait for the time being.
Thank you both for your input; I'll investigate your suggestions.
Sincerely,
Michael Pasquale
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2002 04:28 AM
07-04-2002 04:28 AM
Re: Enforcing more complex passwords...
You don't say what HP-UX release you are running, but given that you refer to /etc/default/security I will assume it's either 11.00 or 11.11.
It seems that sites have a limitless number of special requirements
for passwords. A custom PAM module is probably the 'right'
solution here, but has obvious support cost consequences.
Although I don't have a perfect solution for you, there is one simple
solution that can help meet most of your requirements. Take a look
at the documetation for patch PHCO_24390, which adds a
new feature. Unfortunately this isn't yet mentioned in the security(4)
manual pages. Quoting from the patch documentation:
A site's security policies sometimes require new passwords
to contain specific numbers or types of characters, such as
at least two digits and at least one special character.
Resolution:
In addition to the standard password requirements,
optional entries in the file /etc/default/security specify
the minimum number of required characters of each type
(upper case characters, lower case characters, digits
and special characters) in a new password.
PASSWORD_MIN_UPPER_CASE_CHARS=N
PASSWORD_MIN_LOWER_CASE_CHARS=N
PASSWORD_MIN_DIGIT_CHARS=N
PASSWORD_MIN_SPECIAL_CHARS=N
The default value for N is 0. These parameters have
effect only when a password is changed. On untrusted
systems, these parameters do not apply to the root user.
The file /etc/default/security should be owned by root and
have 0644 permissions.
As an example, to require passwords at least 8 characters
long, composed of at least 5 upper case characters, 2
lower case characters and a digit, include the following
lines in /etc/default/security, as specified above:
PASSWORD_MIN_UPPER_CASE_CHARS=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=1
It seems that sites have a limitless number of special requirements
for passwords. A custom PAM module is probably the 'right'
solution here, but has obvious support cost consequences.
Although I don't have a perfect solution for you, there is one simple
solution that can help meet most of your requirements. Take a look
at the documetation for patch PHCO_24390, which adds a
new feature. Unfortunately this isn't yet mentioned in the security(4)
manual pages. Quoting from the patch documentation:
A site's security policies sometimes require new passwords
to contain specific numbers or types of characters, such as
at least two digits and at least one special character.
Resolution:
In addition to the standard password requirements,
optional entries in the file /etc/default/security specify
the minimum number of required characters of each type
(upper case characters, lower case characters, digits
and special characters) in a new password.
PASSWORD_MIN_UPPER_CASE_CHARS=N
PASSWORD_MIN_LOWER_CASE_CHARS=N
PASSWORD_MIN_DIGIT_CHARS=N
PASSWORD_MIN_SPECIAL_CHARS=N
The default value for N is 0. These parameters have
effect only when a password is changed. On untrusted
systems, these parameters do not apply to the root user.
The file /etc/default/security should be owned by root and
have 0644 permissions.
As an example, to require passwords at least 8 characters
long, composed of at least 5 upper case characters, 2
lower case characters and a digit, include the following
lines in /etc/default/security, as specified above:
PASSWORD_MIN_UPPER_CASE_CHARS=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=1
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP