HPE Community
Operating System - HP-UX
1826644 Members
3245 Online
109695 Solutions
New Discussion

Re: HP-UX 11.0 Non Trusted System /etc/default/security

 
SOLVED
Go to solution
Patrick Farho
Occasional Advisor

‎07-10-2007 09:32 AM

‎07-10-2007 09:32 AM

HP-UX 11.0 Non Trusted System /etc/default/security

I am trying to determine why the /etc/default/security feature PASSWORD_HISTORY_DEPTH=10 does not work on my system.

I am running HP-UX 11.0 and it is a non-trusted system. The other options I set work, but the History Depth and Min Days do not.

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=10 (Does not work)
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MINDAYS=5 (Does not work)

Any help on this subject would be appreciated. I have looked for this information on the ITRC, but have not been able to find what I need.

Thank you!!
0 Kudos
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎07-10-2007 09:34 AM

‎07-10-2007 09:34 AM

Solution

Re: HP-UX 11.0 Non Trusted System /etc/default/security

Shalom,

I think it does not work because the system must be trusted for these features to work on 11.00

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎07-10-2007 09:39 AM

‎07-10-2007 09:39 AM

Re: HP-UX 11.0 Non Trusted System /etc/default/security

The old password hashes are stored in the tcb database so unless there is a tcb database (ie unless the system is trusted) there is nowhere to store that data and your entry in the security file is then nothing more than a comment.
If it ain't broke, I can fix that.
0 Kudos
Patrick Farho
Occasional Advisor

‎07-10-2007 09:45 AM

‎07-10-2007 09:45 AM

Re: HP-UX 11.0 Non Trusted System /etc/default/security

I was concerned the Trusted System may be the resolution, as the man passwd did indicate a trusted system.

I am getting push from internal and external auditors regarding this option. They seem to think they got it working on other systems emulating my environment, but I just could not find anything to confirm there direction on a 11.0 non trusted system.

Thanks for the information!
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎07-10-2007 09:52 AM

‎07-10-2007 09:52 AM

Re: HP-UX 11.0 Non Trusted System /etc/default/security

There is almost no way that a standard (untrusted, unshadowed) UNIX passwd file is going to survive a security audit because the password hashes must be visible to all users and thus is vulnerable to a guessing attack (e.g. Crack). You are probably going to have to convert to Trusted anyway; most applications will transparently use the trusted password routines as they are well hidden inside the libc routines and should be a blackbox to the application. Of course, you are also going to have to explain to the auditors why you are running an obsolete, out-of-support OS version as well.
If it ain't broke, I can fix that.
0 Kudos
Patrick Farho
Occasional Advisor

‎07-10-2007 10:13 AM

‎07-10-2007 10:13 AM

Re: HP-UX 11.0 Non Trusted System /etc/default/security

Due to the sensitivity of the application and the third party vendor, I will not be able to migrate to a new release or convert to a trusted system. This has already been brought up to the vendor four years ago.

The application and servers need to be replaced, but with any conversion it is all about the mighty $$$$!

Hopefully we will be able to migrate off these legacy systems and applications!

Thanks for the responses!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.