Thanks for all the suggestions. I appreciate them all.
Darren Prior: Interesting suggestion. I think I have exhausted the capabilies of what trusted systems can do for me to reach my goals for certain password restrictions. Adding to the dictionary to eliminate the common words starting or ending with numeral(s) would be difficult to accomplish. I would need each word in the dictionary with a leading and trailing digit, and it gets worse if you consider using multiple digits before and after. I thank you for the suggestion, but I don't think it will get me where I want to be.
Alan Turner: I had stumbled across an example using the Expect Perl module as well, but it is not listed in my Oreilly "Programming Perl" book. There ARE 2 examples in the "Perl for System Administration" however. One suggests using the Cracklib C library, and the other just illustrates how to use the Expect module to automate changing passwords. I think I will go the Perl route with my own routines to verify the passed password complies with our own internal rules before submitting the password to the built-in passwd command. Thanks for the pointer!
Steven Sim Kok Leong: Auditing is another phase I will be working on in the near future. We plan on investigating IDS9000's capabilities for this task.
I have considered using John the Ripper and/or Crack to verify my users are using strong passwords, but there are political issues that go along with that that I'd prefer to avoid. If I can verify it is a strong password before it is used by a user, that should negate any need for regular password cracking IMHO. Thanks for taking the time to answer my question.
Sridhar Bhaskarla: Thank you also for the suggestion. My response is much the same to your suggestion as Steven's above. Thanks for taking the time to help.
In summary, We have converted all our systems to trusted systems, and enjoy the security-related benefits that result from that process. We have another tool (not on HP-UX) with more stringent password rules than we can achieve with TCB. The goal is to match the rules available with the other tool. At this time, I believe the quickest and most flexible solution is to take the example Perl scripts I have been able to find and fine tune them to match our requirements. Once that is accomplished, I will rename the system passwd commands, change the permissions on the command so an end-user cannot execute it directly and name this perl script "passwd" which then calls the renamed system passwd command after the password has been verified to be a strong password.
Thanks to all for your valuable input!
Kurt Renner
Do it right the first time and you will be ahead in the long run.
