Solved: Re: one-time password on HP/UX?

Michael_356 · ‎05-06-2004

Hi all,

one item in our security-list is the requirement of an once-per-session password for users, who log into our machines with an insecure connection or protocol.
I've never heard before about this. Is there any software or patch available from HP?
Where in the OS i can set this functionality?

Is there anybody out there, who can remedy my lack of information?
Please help

Thanx in advance
Michael

Stefan Farrelly · ‎05-06-2004

With 11.0 and 11i you have the modprpw command which lets you set things like password lifetime (in days), expiration time (days) and account expiration time (days). As you can see its all in days, so the best you can do is have a password valid for 1 day.

Im from Palmerston North, New Zealand, but somehow ended up in London...

Jairo Campana · ‎05-06-2004

see this documents:

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/4-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/4-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/18-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/18-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/5187-2216/5187-2216_top.html&con=/hpux/onlinedocs/5187-2216/00/00/73-con.html&toc=/hpux/onlinedocs/5187-2216/00/00/73-toc.html&searchterms=trusted%7cmode&queryid=20040506-072121

legionx

Karthik S S · ‎05-06-2004

Hi Michael,

I am not sure if once-per-session password can be enabled. But if you convert your HP-UX to a trusted system you can configure the password control/ageing to achieve what you want (to certain extent).

Refer:
http://docs.hp.com/hpux/onlinedocs/B2355-90121/00/00/19-con.html

-Karthik S S

For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn

Jairo Campana · ‎05-06-2004

security :-)

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/skey-1.1b/

The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks. This system has several advantages compared with other one-time or multi-user authentication systems. The user's secret password never crosses the network during login, or when executing other commands requiring authentication such as the UNIX passwd or su commands. No secret information is stored anywhere, including the host being protected, and the underlying algorithm may be (and it fact, is) public knowledge. The remote end of this system can run on any locally available computer. The host end could be integrated into any application requiring authentication.

legionx

Sanjay_6 · ‎05-06-2004

Hi,

I don't think there is anything that you can do on the system to allow you to do this. but before you get to the server you can try something like securID.

Try this link below,

http://www.rsasecurity.com/products/securid/

VPN is another solution.

Hope this helps.

Regds

Bharat Katkar · ‎05-06-2004

In a normal system only way out is to sepcify:
"Password Expiration Time" for the user and don't know how it will help you.
But if your system is trusted this is possible by configuring proper password policy for that user.
See the attached docs for tcb:

You need to know a lot to actually know how little you know

Bharat Katkar · ‎05-06-2004

Also take a look at one more doc which talks about password aging in non trusted systems

hope this helps:
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-1335382922+1083851413890+28353475&docId=200000067130219

You need to know a lot to actually know how little you know

Michael_356 · ‎05-06-2004

Thanx alot for all your answers.

All of our machines runs in trusted mode,
pw-expiration and -lifetime is set to accurat values for "normal" users but i need a solution for our supporters and suppliers who need temporary access to our system.
The need is an enhanced functionality of pw-expirationtime. One day-password isn't enough in this case, once-per-session-password is the requirement.

thx to jairo, maybe the only way to getz this functionality

Michael

Mel Burslan · ‎05-06-2004

well, if you are the programmer type, I have another suggestion:

in the $HOME/.profile of the userid which will only be allowed to login once in its lifetime, you can put a command to execute an executable program (not a shell script as this will require to be run with setuid bit, aka sticky bit). This command will not be anything more than a c wrapper for command

passwd -l $(who am i| awk {'print $1'})

which will immediately disable the subsequent logins to this account upon first successful login.

Just a suggestion if you can not find a shrink wrapped solution.

________________________________
UNIX because I majored in cryptology...

Michael_356 · ‎05-06-2004

@mel:

Yes, I AM of this type :-)

Great idea with a small downer:
How to secure the entry in $HOME/.profile?
Maybe i can hide it with an inexpressively name but in every company is ONE person who are a little bit too curious. Better to deny access to some files then to hide it in an accessible file.
Or is it possible, to chown $HOME/.profile to root?

Bharat Katkar · ‎05-07-2004

Or is it possible, to chown $HOME/.profile to root?

No. Instead you use chmod and set SUID bit.

You need to know a lot to actually know how little you know

Mel Burslan · ‎05-07-2004

Michael,

I have seen more frequently than not, .profile and other .*rc files being owned by root:sys and functioning well as long as the the permissions are open to be read by anyone, i.e., 444, 644 or 744 permissions. Many times I encountered this root ownership of the skelton files is mainly due to a sloppy previous system admin/builder but it works and that I believe is what matters to you the most.

________________________________
UNIX because I majored in cryptology...