HPE Community
Operating System - HP-UX
1840490 Members
3738 Online
110165 Solutions
New Discussion

Re: Lame password checking.

 
SOLVED
Go to solution
Eric Ladner
Trusted Contributor

‎08-28-2002 06:17 AM

‎08-28-2002 06:17 AM

Lame password checking.

 
0 Kudos
Reply
11 REPLIES 11
Eric Ladner
Trusted Contributor

‎08-28-2002 06:19 AM

‎08-28-2002 06:19 AM

Re: Lame password checking.

Oops.. hit enter too soon.

Is there a way to strengthen the password rules used at the time a user is picking a new password? I'm using HP-UX 11.0 on Trusted System. I have been searching the docs and the forum for quite a while to find some mention of where this actually occurs and if there is a way to substitute a new program to accept or reject user picked passwords.

Thanks,

Eric
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎08-28-2002 06:27 AM

‎08-28-2002 06:27 AM

Re: Lame password checking.

Hi Eric,

AFAIK, the only way to do this would be to write a wrapper script around the passwd command that will do the checking & accept/reject the supplied PW before it's actually passed to passwd.

Search the forum, there have been several threads on this subject in the last 6 mos or so.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Nick Wickens
Respected Contributor

‎08-28-2002 07:05 AM

‎08-28-2002 07:05 AM

Re: Lame password checking.

In lieu of anything better my company run annual security CBT courses that encourage staff to use better passwords - everyone gets has to complete a quiz at the end and are made to redo the course if they fail - your auditors may be aware of such training.

Also I occasionally take a look through the bad login attempts with lastb command as you can often locate any users here that use simple passwords as they will invariablly use a password as their login by mistake at some point. You can then try and work out who and issue a friendly reminder.
Hats ? We don't need no stinkin' hats !!
0 Kudos
Reply
Eric Ladner
Trusted Contributor

‎08-28-2002 07:13 AM

‎08-28-2002 07:13 AM

Re: Lame password checking.

Does anybody have any information on a way to do this with PAM? I assume that one could write a 'password' routine that does the necessary stuff, I just have almost no experience with PAM coding.

Any examples out there?

Eric
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎08-28-2002 08:00 AM

‎08-28-2002 08:00 AM

Re: Lame password checking.

What requirements do you have for passwd security?

This is probably undocumented, but have a look at editing the file

/tcb/files/auth/system/default

- specifically the line that reads:

:u_restrict:u_nullpw@:u_genchars@:u_genletters:
I can't remember what combination there is, but you can specify minimum length, min number of letters, minimum number of numbers, and even requires non-char, non-int value (such as an "_" or a ":").

Also, you may want to download Crack! or John the Ripper, which are password cracking tools, and running them once a month with a script that emails the offensive... I mean offending ;-) user that his password sux and he needs to change it - but that's my BOFH side talking.

Cheers!
James
GARDENOFEDEN> create light
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎08-28-2002 08:02 AM

‎08-28-2002 08:02 AM

Re: Lame password checking.

Oh, and you may want to play with going into SAM -> Auditing and Security -> System Security Policies -> Password Format Policies and removing the "System Generates Pronounceable", "System Generates Character" and "System Generates Letters Only" selections. This may affect user specified as well.

Cheers!
James
GARDENOFEDEN> create light
0 Kudos
Reply
Darren Prior
Honored Contributor

‎08-28-2002 08:52 AM

‎08-28-2002 08:52 AM

Re: Lame password checking.

Hi,

The following doc (along with the man page for default(4) and prpwd(4)) explains the entries found in the system/default file -> KBRC00008662.

Password triviality checks for the following: login names or circular shifts of login names, palindromes or any word recognised by spell.

Unfortunately the standard spell dictionary is of benefit for password checking as passwords must contain at least one non-alpha character. It is therefore necessary to create a specialist dictionary containing all the permutations that you wish to check for, ie replacing all the letter 'i's with 1's and similar substitutions.

I'd also suggest you check the man page for security (check docs.hp.com as it is currently only documented at 11i I believe) as there are some features that could be useful (if you have the latest pam patch)

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Eric Ladner
Trusted Contributor

‎08-28-2002 09:39 AM

‎08-28-2002 09:39 AM

Re: Lame password checking.

Answered my own question.

Found a PAM module called pam_passwdqc (Google search for it.. even supports HP-UX) that does exactly what I want!

FYI.. u_genchar etc. controlls wether or not the user can pick that option (i.e. "Generate character password", "Generate prononcable", etc.)

0 Kudos
Reply
doug hosking
Esteemed Contributor

‎09-01-2002 01:23 AM

‎09-01-2002 01:23 AM

Solution

Re: Lame password checking.

Check patch PHCO_24390, which states:

A site's security policies sometimes require new passwords
to contain specific numbers or types of characters, such as
at least two digits and at least one special character.
Resolution:
In addition to the standard password requirements,
optional entries in the file /etc/default/security specify
the minimum number of required characters of each type
(upper case characters, lower case characters, digits
and special characters) in a new password.
PASSWORD_MIN_UPPER_CASE_CHARS=N
PASSWORD_MIN_LOWER_CASE_CHARS=N
PASSWORD_MIN_DIGIT_CHARS=N
PASSWORD_MIN_SPECIAL_CHARS=N
The default value for N is 0. These parameters have
effect only when a password is changed. On untrusted
systems, these parameters do not apply to the root user.
The file /etc/default/security should be owned by root and
have 0644 permissions.
As an example, to require passwords at least 8 characters
long, composed of at least 5 upper case characters, 2
lower case characters and a digit, include the following
lines in /etc/default/security, as specified above:
PASSWORD_MIN_UPPER_CASE_CHARS=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=1

Reply
harry d brown jr
Honored Contributor

‎09-01-2002 03:54 AM

‎09-01-2002 03:54 AM

Re: Lame password checking.

Eric,

Have you thought about LDAP login?

live free or die
harry
Live Free or Die
0 Kudos
Reply
Eric Ladner
Trusted Contributor

‎09-03-2002 06:27 AM

‎09-03-2002 06:27 AM

Re: Lame password checking.

Thanks Doug! Exactly what I was looking for.

Harry, I'm currently looking at LDAP-UX integration with Active Directory which would remove the password issue for me totally. I have to get the NT guys to do some stuff first, unfortunately..

Thanks for all the great info!

Eric
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.