How to - /tcb/files/auth// and /tcb/files/auth/system/default

Johnny Damtoft · ‎11-19-2006

Hello

I want to setup special security settings using /tcb/files/auth/*/* for all users, but not “ROOT” and a few other system accounts.

I want to setup password ageing, max login tries – etc.

I have been recommended these options:

u_life = 2592000
u_minchg = 0
t_maxtries = 5

So in this case, I guess that my /tcb/files/auth/system/default file will look like this:

default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#0:u_life#2592000:\
:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#5:t_login_timeout#0:\
:chkent:

If this is for all users, and I want special rules for ROOT and other system users, is u_file = 0 the same as “not active”?

I know that the option in the default file is the standard security values, and is only overridden if the options also are present in the “user-specific-file”.

The option “u_maxlen” is the maximum length for the password, and I the shown config max 8 chars. – I want a minimum of 6 chars and a max of 20.

I want good and wise security options.
So in other words the shown config is not perfect – but what is your recommendations?

Johnny

Bob Ingersoll · ‎11-20-2006

For reasonable security measures you may want to use something like:

u_minchg#86400
u_maxlen#8
u_exp#5184000
u_life#15552000
u_pw_expire_warning#604800
u_pickpw
u_genpwd@
u_restrict
u_nullpw@
u_genchars
u_genletters@:
u_llogin=3024000
u_maxtries#3
t_logdelay#4
t_login_timeout#60

A value of zero (0) for u_life disables password life-time expiration.

You should use SAM to make these changes.

The minimum password length and other policies are specified in /etc/default/security:

MIN_PASSWORD_LENGTH=9
PASSWORD_HISTORY_DEPTH=10
PASSWORD_MIN_UPPER_CASE_CHARS=2
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=2
PASSWORD_MIN_SPECIAL_CHARS=2
SU_ROOT_GROUP=admin

Johnny Damtoft · ‎11-20-2006

Would it be possible for you to make a short comment for each entry?

So, how would your default file look like?

Is "u_maxlen#8" the max length for passwords? And if so, how would this match the minimum length from the security file of 9 chars. ??

Johnny

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

How to - /tcb/files/auth/*/* and /tcb/files/auth/system/default