HPE Community
Operating System - HP-UX
1826420 Members
3352 Online
109692 Solutions
New Discussion

Re: Password aging

 
Prashant Zanwar_4
Respected Contributor

‎08-31-2004 02:01 AM

‎08-31-2004 02:01 AM

Password aging

Hi,
I have /etc/default/security file as follows:
# cat /etc/default/security
PASSWORD_HISTORY_DEPTH=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1

And my system is also trusted. I am trying to create a test user for testing purpose and test the above implementation, it does'nt seem to be working.
I am creating user test with passwd xy1964 which should not be allowd, but it's striaght getting through. Please advise asap.
Thanks
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
11 REPLIES 11
Sridhar Bhaskarla
Honored Contributor

‎08-31-2004 02:10 AM

‎08-31-2004 02:10 AM

Re: Password aging

Hi Prashant,

First I would check if your system is patched (if it 11.0, then you will need to install the patch).

One crude way I check for that is to do

strings /usr/bin/login |grep security

It should display a line containing the file /etc/default/security.

If it doesn't, then you will need to go to ITRC Patch site and download the latest login patch.

Also make sure you are not using '/sbin/passwd' to set the password as it will by pass the rules.

Enable triviality checking of the password by running modprdef -m rstrpw=YES. That shouldn't allow simple passwords in addition to your /etc/default/security.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-31-2004 02:20 AM

‎08-31-2004 02:20 AM

Re: Password aging

root can override these restrictions.

So create the user and then run passwd -f

Log on as the user and test your restrictions.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎08-31-2004 02:31 AM

‎08-31-2004 02:31 AM

Re: Password aging

If you are giving passwd on super user then it won't get effect.

passwd man page says -->
A superuser, whose effective user ID is zero, (see id(1) and su(1)),
is allowed to change any password and is not forced to comply with
password aging. Superusers are not prompted for old passwords, unless
they are attempting to change a superuser's password in a trusted
system.


Try to make the user to assign their passwd.
Make the user to change their by passwd -f

It will make the user to change their passwd in their next login.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-31-2004 03:38 AM

‎08-31-2004 03:38 AM

Re: Password aging

Yes, If you are running 11.0, to enable /etc/default/security you need to install patch PHCO_20334.



Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎08-31-2004 06:26 AM

‎08-31-2004 06:26 AM

Re: Password aging

Sundar the patch which are talking about just takes care of password minimum length as read in patch details. Which one will take care of password complexity as above.
Thanks
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-31-2004 06:33 AM

‎08-31-2004 06:33 AM

Re: Password aging

I believe the patch also takes care of /etc/default/security file issue

This is the patch: PHCO_29249

============================================
(SR: 8606202873 CR: JAGad72047)
A site's security policies sometimes require new passwords
to contain specific numbers or types of characters, such as
at least two digits and at least one special character.

Resolution:
In addition to the standard password requirements,
optional entries in the file /etc/default/security specify
the minimum number of required characters of each type
(upper case characters, lower case characters, digits
and special characters) in a new password.

PASSWORD_MIN_UPPER_CASE_CHARS=N
PASSWORD_MIN_LOWER_CASE_CHARS=N
PASSWORD_MIN_DIGIT_CHARS=N
PASSWORD_MIN_SPECIAL_CHARS=N

The default value for N is 0. These parameters have
effect only when a password is changed. On untrusted
systems, these parameters do not apply to the root user.
The file /etc/default/security should be owned by root and
have 0644 permissions.

As an example, to require passwords at least 8 characters
long, composed of at least 5 upper case characters, 2
lower case characters and a digit, include the following
lines in /etc/default/security, as specified above:

PASSWORD_MIN_UPPER_CASE_CHARS=5
PASSWORD_MIN_LOWER_CASE_CHARS=2
PASSWORD_MIN_DIGIT_CHARS=1
============================================
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎08-31-2004 06:34 AM

‎08-31-2004 06:34 AM

Re: Password aging

Hi,

If you are setting the password for the id using the root account, it overrides the defaults. Have you tried setting the password using the account id itself.

Hope this helps.

regds
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎08-31-2004 06:36 AM

‎08-31-2004 06:36 AM

Re: Password aging

I have done passwd -f test...After this I have tried logging in as user test, where I have provided required password. Here it asked for new password, I provided xy1964..which has went through..This should not happen. It should display the security warning.
Please advise
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎08-31-2004 07:41 AM

‎08-31-2004 07:41 AM

Re: Password aging

Does anyone have recommendation on this?
Please advise.
Thanks
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎08-31-2004 08:02 AM

‎08-31-2004 08:02 AM

Re: Password aging

Ok I go the supersaded patch which is installed instead. it is PHCO_22265. I just searched for ./show_patches | grep "libpam "

Does anyone know if this has known problems.
THanks a lot for all responses
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-31-2004 09:12 AM

‎08-31-2004 09:12 AM

Re: Password aging

The patch PHCO_22265 is *way* too old! It has been superceeded several times and did not have all the features implemented. You must use the latest PHCO_29249 to get the latest features. /etc/default/security has no validity test so if a particular feature such as PASSWORD_MIN_DIGIT_CHARS=1 has not been implemented, it is *silently* ignored. This is true of virtually all the options in the security file.

The best way to patch for security is not piecemeal, but to download and run the security_patch_check program: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA, then bring all the patches up to date.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.