HPE Community
Operating System - HP-UX
1827211 Members
2509 Online
109716 Solutions
New Discussion

one-time password on HP/UX?

 
SOLVED
Go to solution
Michael_356
Frequent Advisor

‎05-06-2004 01:18 AM

‎05-06-2004 01:18 AM

one-time password on HP/UX?

Hi all,

one item in our security-list is the requirement of an once-per-session password for users, who log into our machines with an insecure connection or protocol.
I've never heard before about this. Is there any software or patch available from HP?
Where in the OS i can set this functionality?

Is there anybody out there, who can remedy my lack of information?
Please help

Thanx in advance
Michael
0 Kudos
Reply
12 REPLIES 12
Stefan Farrelly
Honored Contributor

‎05-06-2004 01:22 AM

‎05-06-2004 01:22 AM

Re: one-time password on HP/UX?

With 11.0 and 11i you have the modprpw command which lets you set things like password lifetime (in days), expiration time (days) and account expiration time (days). As you can see its all in days, so the best you can do is have a password valid for 1 day.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Karthik S S
Honored Contributor

‎05-06-2004 01:30 AM

‎05-06-2004 01:30 AM

Re: one-time password on HP/UX?

Hi Michael,

I am not sure if once-per-session password can be enabled. But if you convert your HP-UX to a trusted system you can configure the password control/ageing to achieve what you want (to certain extent).

Refer:
http://docs.hp.com/hpux/onlinedocs/B2355-90121/00/00/19-con.html

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-06-2004 01:34 AM

‎05-06-2004 01:34 AM

Re: one-time password on HP/UX?

security :-)

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/skey-1.1b/

The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks. This system has several advantages compared with other one-time or multi-user authentication systems. The user's secret password never crosses the network during login, or when executing other commands requiring authentication such as the UNIX passwd or su commands. No secret information is stored anywhere, including the host being protected, and the underlying algorithm may be (and it fact, is) public knowledge. The remote end of this system can run on any locally available computer. The host end could be integrated into any application requiring authentication.
legionx
Reply
Sanjay_6
Honored Contributor

‎05-06-2004 01:45 AM

‎05-06-2004 01:45 AM

Re: one-time password on HP/UX?

Hi,

I don't think there is anything that you can do on the system to allow you to do this. but before you get to the server you can try something like securID.

Try this link below,

http://www.rsasecurity.com/products/securid/

VPN is another solution.

Hope this helps.

Regds
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎05-06-2004 01:48 AM

‎05-06-2004 01:48 AM

Re: one-time password on HP/UX?

In a normal system only way out is to sepcify:
"Password Expiration Time" for the user and don't know how it will help you.
But if your system is trusted this is possible by configuring proper password policy for that user.
See the attached docs for tcb:
You need to know a lot to actually know how little you know
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎05-06-2004 01:54 AM

‎05-06-2004 01:54 AM

Re: one-time password on HP/UX?

Also take a look at one more doc which talks about password aging in non trusted systems

hope this helps:
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-1335382922+1083851413890+28353475&docId=200000067130219

You need to know a lot to actually know how little you know
0 Kudos
Reply
Michael_356
Frequent Advisor

‎05-06-2004 02:12 AM

‎05-06-2004 02:12 AM

Re: one-time password on HP/UX?

Thanx alot for all your answers.

All of our machines runs in trusted mode,
pw-expiration and -lifetime is set to accurat values for "normal" users but i need a solution for our supporters and suppliers who need temporary access to our system.
The need is an enhanced functionality of pw-expirationtime. One day-password isn't enough in this case, once-per-session-password is the requirement.

thx to jairo, maybe the only way to getz this functionality

Michael
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎05-06-2004 03:25 AM

‎05-06-2004 03:25 AM

Solution

Re: one-time password on HP/UX?

well, if you are the programmer type, I have another suggestion:

in the $HOME/.profile of the userid which will only be allowed to login once in its lifetime, you can put a command to execute an executable program (not a shell script as this will require to be run with setuid bit, aka sticky bit). This command will not be anything more than a c wrapper for command

passwd -l $(who am i| awk {'print $1'})

which will immediately disable the subsequent logins to this account upon first successful login.

Just a suggestion if you can not find a shrink wrapped solution.
________________________________
UNIX because I majored in cryptology...
Reply
Michael_356
Frequent Advisor

‎05-06-2004 09:07 PM

‎05-06-2004 09:07 PM

Re: one-time password on HP/UX?

@mel:

Yes, I AM of this type :-)

Great idea with a small downer:
How to secure the entry in $HOME/.profile?
Maybe i can hide it with an inexpressively name but in every company is ONE person who are a little bit too curious. Better to deny access to some files then to hide it in an accessible file.
Or is it possible, to chown $HOME/.profile to root?
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎05-07-2004 01:38 AM

‎05-07-2004 01:38 AM

Re: one-time password on HP/UX?

Or is it possible, to chown $HOME/.profile to root?

No. Instead you use chmod and set SUID bit.
You need to know a lot to actually know how little you know
Reply
Mel Burslan
Honored Contributor

‎05-07-2004 04:08 AM

‎05-07-2004 04:08 AM

Re: one-time password on HP/UX?

Michael,

I have seen more frequently than not, .profile and other .*rc files being owned by root:sys and functioning well as long as the the permissions are open to be read by anyone, i.e., 444, 644 or 744 permissions. Many times I encountered this root ownership of the skelton files is mainly due to a sloppy previous system admin/builder but it works and that I believe is what matters to you the most.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.