HPE Community
Operating System - HP-UX
1834931 Members
2594 Online
110071 Solutions
New Discussion

/etc/default/password

 
Nicky_5
Regular Advisor

‎08-18-2005 06:49 AM

‎08-18-2005 06:49 AM

/etc/default/password

Hi All,

in SCO Machines there is a file /etc/default/password that contains the information about the length and aging of user passwords and the availability of the passwd command for changing user passwords like MINWEEKS, MAXWEEKS, PASSLENGTH, WARNWEEKS,
LOGIN_ONLY.

Is there some such file n HP-UX (specially version 10.20) Please let me know..
0 Kudos
Reply
13 REPLIES 13
John Dvorchak
Honored Contributor

‎08-18-2005 06:55 AM

‎08-18-2005 06:55 AM

Re: /etc/default/password

Yes you can do that if you make the system a "trusted" system. Use sam and go into "auditing and security" then to "system security policies". There is also a warning there that you must convert to a trusted system, but it is easily converted back to an untrusted system.

If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

‎08-18-2005 06:56 AM

‎08-18-2005 06:56 AM

Re: /etc/default/password

Under hpux 11i,you would find that in /etc/default/security file
As for 10.20 unless you have a trusted system Im afraid there is nothing...

All the best
Victor
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎08-18-2005 07:00 AM

‎08-18-2005 07:00 AM

Re: /etc/default/password

No there is no such file in HP-UX
If you want to have that kind password policy , then you to convert the system to Trusted System .

Making Trusted system is depends on application compatibility.

Im HP-UX 11i , you can put those changes without converting to Trusted mode.
0 Kudos
Reply
Nicky_5
Regular Advisor

‎08-18-2005 07:05 AM

‎08-18-2005 07:05 AM

Re: /etc/default/password

hi,

is there any impact if i change the system into trusted system?
i did go into sam and saw the warning it gave
"2. Moves user passwords in "/etc/passwd" to this database.
3. Replaces all password fields in "/etc/passwd" with "*".

So if i say ok to this option wont it mess up with the password settings of my users?

This is a production machine and so i am a little wary..
0 Kudos
Reply
Ranjith_5
Honored Contributor

‎08-18-2005 07:08 AM

‎08-18-2005 07:08 AM

Re: /etc/default/password

Hi Nicky,

There is a similar file in HP-UX also. That is /etc/default/security.

The completeinfo is here.
http://docs.hp.com/en/B2355-60105/security.4.html

Regards,
Syam
0 Kudos
Reply
Nicky_5
Regular Advisor

‎08-18-2005 07:14 AM

‎08-18-2005 07:14 AM

Re: /etc/default/password

Hi Syam,

On my machine (HP-UX 10.20) under /etc/default there are only 2 files (fs & useradd). I could not find the file you mentioned.
0 Kudos
Reply
Ranjith_5
Honored Contributor

‎08-18-2005 07:17 AM

‎08-18-2005 07:17 AM

Re: /etc/default/password

Hi,

You have to create this file.
# touch security.

edit it and add the required parameters according to your requirements. I have added the following in my machine.
PASSWORD_HISTORY_DEPTH=5
SU_ROOT_GROUP=sysadm
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=1
UMASK=077
PASSWORD_MAXDAYS=30
PASSWORD_MINDAYS=5
PASSWORD_WARNDAYS=7


Regards,
Syam
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎08-18-2005 07:20 AM

‎08-18-2005 07:20 AM

Re: /etc/default/password

Unless you know the application dependability on /etc/passwd file , it is quite risky to make these changes on production system. If don't know about application , try this on Test system first.

/etc/default/security file and concerned policy can only be implemented in HP-UX 11i.
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎08-18-2005 07:46 AM

‎08-18-2005 07:46 AM

Re: /etc/default/password

/tcb/auth/files/system/defaults.

default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#1814400:u_maxlen#16:u_exp#3628800:u_life#5184000:\
:u_llogin#5184000:u_pw_expire_warning#1209600:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#6:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:

If unsure, modify defaults in SAM then check this file to see what the relationship is.

0 Kudos
Reply
Nicky_5
Regular Advisor

‎08-18-2005 07:49 AM

‎08-18-2005 07:49 AM

Re: /etc/default/password

given the current settings of my system, would i be right in saying that the ids created by on this machine are not governed by any policy?

Also does any one know what exactly happens when i enable TCB on this machine? the password section of /etc/password is replaced by a *, does that mean that the passwords are reset or do the passwords remain unchanged,but the encrypted passwords would not be stored in another file instead of /etc/passwd?

any suggestions?
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-18-2005 07:49 AM

‎08-18-2005 07:49 AM

Re: /etc/default/password

As you know, 10.20 has been obsolete for several years so the /etc/default/security file is meaningless to that system. You do have password aging available but nothing else. SAM can handle password aging for your users.

Converting to Trusted using SAM is a low risk task and will not affect users UNLESS they are typing more than 8 characters for their password. The un-Trusted passwd program silently ignores the extra characters but a Trusted system pays attantion to all the characters tpyed in and it will fail after conversion because the password is only 8 characters long.

Additionally, poorly written programs may play around with the password file and these programs may fail because they do not understand the Trusted database system. But for security, you don't want such programs anyway. Your best choice is to get a test system and verify operation before you convert. Use SAM and you can convert while the system is running--takes just a minute or so.


Bill Hassell, sysadmin
0 Kudos
Reply
Nicky_5
Regular Advisor

‎08-18-2005 07:50 AM

‎08-18-2005 07:50 AM

Re: /etc/default/password

hi Tim,

since i dont have have TCB enabled, i dont have the /tcb directory, and hence the consequest files are also not there...
0 Kudos
Reply
Ranjith_5
Honored Contributor

‎08-18-2005 07:51 AM

‎08-18-2005 07:51 AM

Re: /etc/default/password

Hi,

the tcb database is created only after making the system trusted. Once the system is made trusted then the passwords will be stored in the tcb database.

Regards,
Syam
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.