HPE Community
Operating System - HP-UX
1836648 Members
1878 Online
110102 Solutions
New Discussion

Modem Security

 
Rushank
Super Advisor

‎01-18-2002 08:21 AM

‎01-18-2002 08:21 AM

Modem Security

Hello,

I would like to configure a modem for dial-in on D box with 10.20. This is a trusted system and I would like to configure modem with security feature.

The most of the docs on this site explains about /etc/d_passwd and /etc/dialups.
But both the files are not present in this directory. I tried creating d_passwd file passwd -F /etc/d_passwd /usr/bin/ksh without any sucess
A step by step help would be highly appriciated. Also let me know if there is any other security features available for modem.

Thanks in advance
0 Kudos
Reply
14 REPLIES 14
S.K. Chan
Honored Contributor

‎01-18-2002 08:39 AM

‎01-18-2002 08:39 AM

Re: Modem Security

To add a single dialup password for any port listed in the /etc/dialups file, perform the following steps:

1. Edit /etc/dialups to add a list of dialin ports for which you want to have a dialup password. For example:

/dev/ttyd0p7
/dev/ttyd0p1

2. Edit /etc/d_passwd to look like:

/usr/bin/sh::comment

where the first field is the shell to be used, the second field is reserved for an encrypted password, and the third field is comment.

3. Add the password to /etc/d_passwd using the following command:

# passwd -F /etc/d_passwd /usr/bin/sh

This prompts for the password.
0 Kudos
Reply
Rushank
Super Advisor

‎01-18-2002 09:19 AM

‎01-18-2002 09:19 AM

Re: Modem Security

Chan,

I've read this doc, The problem is I don't have these files in my /etc/ directory (d_passwd and dialups) Do I need to creat this file..?

T tried creating d_passwd file and then executed passwd -F option. (passwd -F /etc/d_passwd /bin/sh) I'm getting an error saying invalied login
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎01-18-2002 09:56 AM

‎01-18-2002 09:56 AM

Re: Modem Security

Yes you need to create /etc/dialups and /etc/d_passwd. These files should be owned by root:root and permission 600.

I'm not sure if this would make a difference but try it anyway .. try using /usr/bin/sh in both the d_passwd file entry and the passwd command.
0 Kudos
Reply
Rushank
Super Advisor

‎01-18-2002 11:39 AM

‎01-18-2002 11:39 AM

Re: Modem Security


I created file d_passwd with touch command with 600 permissions.
and when I run passwd -F /etc/d_passwd /usr/bin/sh I get invalied login

0 Kudos
Reply
Geno Church
Frequent Advisor

‎01-18-2002 12:03 PM

‎01-18-2002 12:03 PM

Re: Modem Security

Try this...

The problem lies in the length of the loginname.

ANd there is a patch out that addresses this bug. If you don't have this patch then apply.

PHCO_13734

No reboot is required.

Geno-HP
Real Eyes Realize Real Lies
0 Kudos
Reply
Rushank
Super Advisor

‎01-18-2002 01:11 PM

‎01-18-2002 01:11 PM

Re: Modem Security

Pacth is already there.. Problem remains..
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎01-18-2002 01:41 PM

‎01-18-2002 01:41 PM

Re: Modem Security

Ok .. try this entry in /etc/d_passwd file instead. This is the "workable" passowrd entry format in HPUX11.x but you're running 10.20...so I'm not sure if this will work but at this point you got nothing to lose.

/sbin/sh::0:0:comment::
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎01-18-2002 01:42 PM

‎01-18-2002 01:42 PM

Re: Modem Security

Sorry it should be ..

/usr/bin/sh::0:0:comment::
0 Kudos
Reply
Rushank
Super Advisor

‎01-18-2002 01:53 PM

‎01-18-2002 01:53 PM

Re: Modem Security

Hi,

Tried that but when I use passwd -F /etc/d_passwd /usr/bin/sh
I get invalied login name

0 Kudos
Reply
S.K. Chan
Honored Contributor

‎01-18-2002 02:22 PM

‎01-18-2002 02:22 PM

Re: Modem Security

This is what I found out ..

Quote ..
The problem was introduced onto your system with the application of patch PHCO_10274 (superseeded by PHCO_13734). One of the fixes in the patch was for a security problem. In this fix, there was a check added for an 8 character username in /etc/passwd. When dialup security is invoked, login requests an additional password, and checks it against that found in /etc/d_passwd. The command name found in the ``program to use as shell'' field of /etc/passwd is used to select the password to be used. With the SVR4 file system, it
now has path names to shells that exceed the 8 character limit.

The workaround is to use a bogus "program to use as shell".

In /etc/d_passwd you need something like:

shell::comment

Then run passwd:

passwd -F /etc/d_passwd shell

After the password has been changed, edit /etc/d_passwd to have the path to the real shell that you want to use.
Unquote ..

Good Luck
0 Kudos
Reply
Rushank
Super Advisor

‎01-18-2002 02:52 PM

‎01-18-2002 02:52 PM

Re: Modem Security

Yes that worked.. But how do I add users in this d_passwd file..?

0 Kudos
Reply
S.K. Chan
Honored Contributor

‎01-18-2002 04:35 PM

‎01-18-2002 04:35 PM

Re: Modem Security

Example :-

1) Edit /etc/d_passwd to look something like this list:
shell1::comment
shell2::comment
/usr/bin/sh::comment
Note: Remember, shell1 to 3 is dummy shell. I am assuming you've got the first part done (ie set up /usr/bin/sh line with password)

2) Run ..
# passwd -F /etc/d_passwd shell1
# passwd -F /etc/d_passwd shell2

3) Create links for the users to their shells:
# ln -s /usr/bin/sh /usr/bin/uss1
# ln -s /usr/bin/sh /usr/bin/uss2

4) Edit the /etc/passwd and /etc/d_passwd files so that the shell is listed with the new links:
# vi /etc/passwd
dialup1::111:20:comment,,,:/home/dialup1:/usr/bin/uss1
dialup2::112:20:comment,,,:/home/dialup2:/usr/bin/uss2
# vi /etc/d_passwd
/usr/bin/uss1::comment
/usr/bin/uss2::comment
/usr/bin/sh::comment
0 Kudos
Reply
Rushank
Super Advisor

‎01-21-2002 08:04 AM

‎01-21-2002 08:04 AM

Re: Modem Security

Why is that I get all garbage when I connect to remote box.?? What is the right cable Modem is connected to serial port of D box (9 -pin) and to modem (25 pin)

0 Kudos
Reply
harry d brown jr
Honored Contributor

‎01-21-2002 08:11 AM

‎01-21-2002 08:11 AM

Re: Modem Security

Rushank,

Have you looked into dial-back modems?

http://rr.sans.org/unix/sec_HPUX.php

live free or die
harry
Live Free or Die
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.