HPE Community
Operating System - HP-UX
1835403 Members
2658 Online
110078 Solutions
New Discussion

Re: Password history Depth

 
SOLVED
Go to solution
Nick D'Angelo
Super Advisor

‎03-29-2005 12:03 AM

‎03-29-2005 12:03 AM

Password history Depth

All,

HPUX 11i

I am trying to setup the Password_history_depth so that users will be prevented from re-using the previous 6 password.

I have added the file /etc/default/security and included the line: PASSWORD_HISTORY_DEPTH=6 in it and it is readable by everyone.

However, I have experimented on my test server with one user account and it did not remember the previous password, therefore I do not believe it is working as expected.

Did I miss something?

Thanks
Always learning
0 Kudos
Reply
13 REPLIES 13
Pete Randall
Outstanding Contributor

‎03-29-2005 12:08 AM

‎03-29-2005 12:08 AM

Re: Password history Depth

Nick,

According to the man page, this feature "is supported in trusted system for users in files repository only. This feature does not support the users in NIS or NISPLUS repositories."

Are you on a trusted, non-NIS system?


Pete

Pete
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎03-29-2005 12:09 AM

‎03-29-2005 12:09 AM

Re: Password history Depth

Thanks, NO NIS or NISplus is being used.
Always learning
0 Kudos
Reply
HGN
Honored Contributor

‎03-29-2005 12:39 AM

‎03-29-2005 12:39 AM

Re: Password history Depth

Hi

This feature works only in trusted mode, you can change the system a test system to trusted mode and see if that works out for you.

Rgds

HGN
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-29-2005 01:50 AM

‎03-29-2005 01:50 AM

Re: Password history Depth

The password history for each user is stored in /tcb/files/auth, so if you don't have this directory, your system is not Trusted and virtually none of the password controls mentioned in the security man page will work.


Bill Hassell, sysadmin
0 Kudos
Reply
Sunil Sharma_1
Honored Contributor

‎03-29-2005 01:51 AM

‎03-29-2005 01:51 AM

Re: Password history Depth

Hi,

Please see man page of security. It says " The pasword history depth configuration is on a system basis and is supported in tructed system for users in files repository only"

So this can be possible in trusted mode only and If you are using files then only. It does not support NIS

Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎03-29-2005 02:29 AM

‎03-29-2005 02:29 AM

Re: Password history Depth

Thank you all.

Bill H - question

What if I don't have a /tcb/files/auth etc directory? Can I just create one?
Always learning
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎03-29-2005 02:31 AM

‎03-29-2005 02:31 AM

Re: Password history Depth

You'll need to convert your system to trusted, either by going through SAM (recommended) or running tsconvert.


Pete

Pete
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-29-2005 02:40 AM

‎03-29-2005 02:40 AM

Re: Password history Depth

Nope. /tcb is the Trusted Computing Base directory and is meaningless without the Trusted conversion. Go into SAM and select Auditing and Security. You'll be asked to convert to Trusted. NOTE: is you use tsconvert (which is hidden in /usr/lbin) all the passwords will be expired immediately. SAM will enable all the logins. Note also that if anyone user on your system (including root) has a password more than 8 characters, during the conversion the password will be honored only when 8 characters are entered. If you enter more, it will be rejected. This is because your un-trusted system silently ignored the extra characters.

Once converted to Trusted (takes a minute or so), SAM will now have additional features including system-wide security policies including password history.


Bill Hassell, sysadmin
Reply
Nick D'Angelo
Super Advisor

‎03-29-2005 02:41 AM

‎03-29-2005 02:41 AM

Re: Password history Depth

Peter, thank you.

Will it require a reboot?
Always learning
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-29-2005 02:42 AM

‎03-29-2005 02:42 AM

Solution

Re: Password history Depth

Nope, no reboot necessary. Existing user sessions are untouched, new users can login with no visible differences except they will now see when they last logged in successfully and when they last failed to login successfully.


Bill Hassell, sysadmin
Reply
Nick D'Angelo
Super Advisor

‎03-29-2005 03:11 AM

‎03-29-2005 03:11 AM

Re: Password history Depth

Hmm, it errored with a -1 while trying to configure this on my test server using SAM.
This was the error:

he attempt to convert this system to a trusted system failed. The x x
x [x command return value was "-1" and the standard error output was: x x
x x Can't write protected database; x x
x [x password file unchanged.

??
Always learning
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎03-29-2005 03:16 AM

‎03-29-2005 03:16 AM

Re: Password history Depth

Sorry All, I was a little too quick to post my error.

I found a user account in /etc/password that had a # as its first character. Once I removed this, and re-ran Sam - it converted to a trusted host no problem.

THanks anyhow.
Always learning
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎03-29-2005 03:17 AM

‎03-29-2005 03:17 AM

Re: Password history Depth

Are you running short of space in your / file system? Run a bdf and check.


Pete

Pete
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.