HPE Community
Operating System - HP-UX
1825766 Members
2558 Online
109687 Solutions
New Discussion

login specifications

 
SOLVED
Go to solution
Donald Thaler
Super Advisor

‎01-14-2010 05:09 AM

‎01-14-2010 05:09 AM

login specifications

i checked the man pages on login and looked into
/etc/default/security.. but i didn't see any specification that would lock an account after 'x' number of failed logins...
0 Kudos
Reply
16 REPLIES 16
Pete Randall
Outstanding Contributor

‎01-14-2010 05:32 AM

‎01-14-2010 05:32 AM

Solution

Re: login specifications

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1263475909790+28353475&threadId=1184810


Pete

Pete
Reply
Jupinder Bedi
Respected Contributor

‎01-14-2010 06:31 AM

‎01-14-2010 06:31 AM

Re: login specifications

you can mention the following field /etc/default/security

NUMBER_OF_LOGINS_ALLOWED=
All things excellent are as difficult as they are rare
0 Kudos
Reply
Jupinder Bedi
Respected Contributor

‎01-14-2010 06:38 AM

‎01-14-2010 06:38 AM

Re: login specifications

if it is a trusted system than you need change the parameter in /tcb/files/auth/system/default file

u_maxtries
All things excellent are as difficult as they are rare
0 Kudos
Reply
Donald Thaler
Super Advisor

‎01-14-2010 07:53 AM

‎01-14-2010 07:53 AM

Re: login specifications

NUMBER_OF_LOGINS_ALLOWED is for concurrent logins according the the documentation... the correct value is auth_maxtries=
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 07:55 AM

‎01-14-2010 07:55 AM

Re: login specifications

and it's only available on trusted systems


Pete

Pete
Reply
Donald Thaler
Super Advisor

‎01-14-2010 08:26 AM

‎01-14-2010 08:26 AM

Re: login specifications

how do i know if its a trusted system ?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 08:28 AM

‎01-14-2010 08:28 AM

Re: login specifications

The password fields in /etc/passwd will be nulled out (or replace with a * - can't remember which) and you will have a tcb directory structure instead.


Pete

Pete
Reply
Donald Thaler
Super Advisor

‎01-14-2010 08:33 AM

‎01-14-2010 08:33 AM

Re: login specifications

next question... how do we become a trusted site... the password file has entries in it for each unix user ??
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 08:38 AM

‎01-14-2010 08:38 AM

Re: login specifications

The best way is to use SAM. Sam > Autditing and Security > System Security Policies will accomplish it. You will get a screen telling you that you have to convert and it will ask you if you want to converty now. You can subsequently unconvert if you don't like it, by running tsconvert -r.

You can also use tsconvert to do the initial conversion but SAM does a better job of making sure the passwords are not initially expired, among other things.


Pete

Pete
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 08:41 AM

‎01-14-2010 08:41 AM

Re: login specifications

Also, you don't mention which version of HP-UX you're running, but the last entry in the thread I pointed out mentions a product which implements many of these sorts of features on a 11.23 system. It also mentions that trusted is deprecated on 11.31. Something else to consider.


Pete

Pete
Reply
Donald Thaler
Super Advisor

‎01-14-2010 09:26 AM

‎01-14-2010 09:26 AM

Re: login specifications

I'm on 11.23, when switching to a trusted site will we notice anything different if we don't modify /etc/default/security and take all the defaults ? I just want to be a little proactive, just in case the users start experiencing something new as a result of this switch to a trusted site.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 09:32 AM

‎01-14-2010 09:32 AM

Re: login specifications

Not sure on that one, Donald. I've never run trusted. It always seemed like it would be overly restrictive for the users and more work for me - resetting password and so on - so I never tried it. Sorry.


Pete

Pete
Reply
Donald Thaler
Super Advisor

‎01-14-2010 10:12 AM

‎01-14-2010 10:12 AM

Re: login specifications

so without running "trusted" is there anyway to inhibit logins if someone tries too many times and fails ?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-14-2010 10:23 AM

‎01-14-2010 10:23 AM

Re: login specifications

For you, since you're running 11.23, I believe you could use Trusted Mode Security Extensions:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productN
umber=StdModSecExt

In the above link, it specifically mentions the following features:

# Auditing user and system activities
# Account locking after too many authentication failures occur
# Displaying the last successful and unsuccessful login
# Preventing the re-use of passwords in the password history
# Preventing logins with null passwords
# Restricting logins to specific time periods
# Expiring inactive accounts

Number 2 sounds like your ticket.


Pete

Pete
Reply
Bill Hassell
Honored Contributor

‎01-14-2010 10:36 AM

‎01-14-2010 10:36 AM

Re: login specifications

The simplest way to detect a Trusted system is:

ll -d /tcb

If the /tcb directory exists, then the system is Trusted (assuming root hasn't been playing games).

> I'm on 11.23, when switching to a trusted site will we notice anything different if we don't modify /etc/default/security and take all the defaults ?

The first difference is that there will be a maximum retry limit. When the user fat-fingers the password more than 3 times (3=typical), the login is locked. Untrusted accounts have infinite retries. You use the modprpw command to reinstate the locked user login.

One of the problems with Trusted is that specifications (rules) exist in two places, the security file and also the /tcb/files/auth/system/default. The enclosed script will report a combined summary of all the security settings for a Trusted system.

AS far as side effects, occasionally some old applications try to use the classic /etc/passwd file rather than PAM for application authentication. PAM has been around for more than a decade so most apps will use PAM so that the underlying authentication method is transparent.


Bill Hassell, sysadmin
Reply
Donald Thaler
Super Advisor

‎01-14-2010 03:42 PM

‎01-14-2010 03:42 PM

Re: login specifications

Is there any advantage to running Trusted Mode Security Extensions, vs a TRUSTED system.

I noticed that the trusted mode security extensions requires a download of additional software, that's not required if i run in TRUSTED mode ??
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.