HPE Community
Operating System - HP-UX
1834798 Members
2608 Online
110070 Solutions
New Discussion

Password History on Trusted Systems

 
William S Jastrow
New Member

‎10-02-2001 02:57 PM

‎10-02-2001 02:57 PM

Password History on Trusted Systems

The /etc/default/security file defines the "depth" of password history, however, where (or how) is thi shistory maintained? Presumably, this is a file (binary or otherwise). There is a requirement to not only enforce a password depth but ensure that manually (yes, as in through a script >bypassing< "passwd") a previous password is not used.

Thanks for you help in advance.
0 Kudos
Reply
6 REPLIES 6
A. Clay Stephenson
Acclaimed Contributor

‎10-02-2001 03:02 PM

‎10-02-2001 03:02 PM

Re: Password History on Trusted Systems

Hi,

All the passwd 'shadowed' data is in maintained in /tcb/files/auth/*.

Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎10-02-2001 03:07 PM

‎10-02-2001 03:07 PM

Re: Password History on Trusted Systems

Hi again,

I suppose I should add that this database does not know what the old passwds were; it only saves the old passwd hashes. If a user attempts to use an old passwd, crypt() is called using the 'salt' from each old entry and if the new passwd hash matches any of the old passwd hashes, the passwd is rejected.

Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
William S Jastrow
New Member

‎10-02-2001 03:23 PM

‎10-02-2001 03:23 PM

Re: Password History on Trusted Systems

Clay,

Thank you for your prompt (immediate!!!) reply.

Let me elaborate further so that you might better understand the problem.

The password change (and reference to "crypt()" will occur on a central server for a series of trusted hosts; the central server itself is NOT a trusted host. For the sake of simplicity (11 lines of "C"; 100 lines of comments to accompany them), I am using a "static" salt.

I'm scanning the /tcb/files/auth/* directories but only see the "user" references. It is possible (but unlikely) that no password changes have taken place.

Perhaps I'm being dense?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎10-02-2001 03:24 PM

‎10-02-2001 03:24 PM

Re: Password History on Trusted Systems

Hi William:

Knowledge Base (KB) document #KBRC00000915 provides some useful information, although you may already be aware of it:

/begin_quote/

Password history check of up to 10 passwords.
The system administrator can enable the password history feature to discourage users from reusing previously used passwords. To enable the password history feature, the system administrator should create a file
(or open the file if it already exists) named
/etc/default/security and append to it one line containing:

PASSWORD_HISTORY_DEPTH=number

The line contains three keywords: PASSWORD_HISTORY_DEPTH, =, and a decimal number which is the desired depth for the password history check. If the number is 2, the user's new password will be checked against two previously used passwords. One is the current password, and the other one is the password used before the current password. A configuration of password history depth of 2 prevents users from alternating between two passwords. The maximum password history depth supported is 10 and the minimum password history depth supported is 1. A depth configuration of more than 10 will be
treated as 10, and a depth configuration of less than 1 will be treated as 1.
The password history depth configuration is on a system basis and is supported in trusted system for users in files repository only. This feature does not support the users in NIS or NISPLUS repositories. Once the feature is enabled, all the users on the system are subject to the same check. If the password history configuration file /etc/default/security does not exist, or if the file exists but the required line is missing, or if the line exists but any of the three required keywords is missing, the password history check feature is automatically disabled. When the feature is disabled, the password history check depth is set to 1 and a password change is subject to all of the other rules for a new password including a check with the current password.

/end_quote/

...and from KB document #8606141855

/begin_quote/

The PASSWORD_HISTORY_DEPTH feature does not work correctly when
the initial user tcb u_pwd entry is equal to a asterisk (u_pwd=*).
This is the initial produced when using /usr/sbin/useradd to create
an account.

This is not a problem if SAM is used to create a user becauseaan initial password is assigned and therefore u_pwd=...This problem is resolved in 11.00 patch PHCO_21833.

...To repair a corrupted password history
database it is necessary to remove each file in
/tcb/files/auth/system/pwhist which has a corrupted user entry, or to remove all files in that directory. This destroys the password history maintained in those files. It does not affect the current passwords.

/end_quote/

Does this help?

Regards!

...JRF...
0 Kudos
Reply
William S Jastrow
New Member

‎10-02-2001 03:30 PM

‎10-02-2001 03:30 PM

Re: Password History on Trusted Systems

James,

I always appreciate a complete answer and am willing to scan through anything I might already know looking for what I don't.

In this case, you provided me with the very detail I had missed: "/tcb/files/auth/system/pwhist/* which contains the very "history" of passwords I was interested in.

Thanks very much.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎10-02-2001 03:42 PM

‎10-02-2001 03:42 PM

Re: Password History on Trusted Systems

Hi (again) William:

...glad to have helped. I learned something alone the way, too, so thank YOU.

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.