1. The shadow password file is the classic (and not very secure) methoid to hide the encrypted passwords to prevent easy access with crack and other password guessing programs. If you have any requirement for a secure system, use Trusted. Not only are the encrypted passwords hidden from users, but you have a very large number of controls available for password choices and other security features. Trusted is much better than shadow passwords.
2. PAM is the aythentication method for 11i and higher. Version 11.00 implemented some authentication with PAM but the conversion is complete only in 11i. /etc/security does not exist in HP-UX. The file is /etc/default/security and has almost no effect for a standard system, a few controls are active in a shadow password system, and virtually all the lines are available in a Trusted system. Use the command:
man security
to read about this file. The man page for pam (and related pam subjects) gives information on how to integrate other modules...I have no idea if pam_cracklib will work on HP-UX. A search of the net shows a few experiments but no solid directions on how to set it up. If you use a PAM module, it will override the built-in Trusted system features for password format. SAM can configure many of your password policies both at the user level as well at the system level. The /etc/default/security and the values listed in SAM for system and users all work together.
3. Single user mode can require a password. Since single user mode is unlike a normal Unix environment, there are no users (directories like /usr and /home are unmounted) so there is only one login possible: root. As far as getting into single user mode, the commands init s and shutdown 0 do not reach single user mode. Only a complete reboot and interaction during the boot process will get to single user mode. Naturally, there is no networking during bootup and in single user mode so all of this must take place on the real console. Only root users are allowed to shutdown the machine unless you have made special provisions in /etc/shutdown.allow file.
4. As mentioned, su always logs it's activities and always creates the sulog file if it does not exist. However, su is not the tool of choice for a secure and autdited system. The sudo command (a contributed program) is much preferred.
5. Yes.
6. Yes, your command works but it will be VERY slow depending on the size of /home. Since .rhosts is useless unless it is in the user's $HOME directory, there is no need to search thousands of subdirectories for an ineffective file. Just use this:
ll /home/*/.rhosts
Of course, if you disable the 'r' services (remsh, rcp , rlogin) then it really doesn't matter if someone has a .rhosts file. See more information about ssh to eliminate the 'r' commands.
If you need a definitive tool for cnofiguring all the security features on your HP-uX system, downloaad copies of the following products from HP:
Bastille
security_patch_check
sudo
Secure Shell (ssh)
Note that Bastille is also available from HP for Linux. Note also that Bastille currerntly requires an Xwindow display to run. The others are standard Unix command line tools.
Bill Hassell, sysadmin
