HPE Community
Operating System - HP-UX
1837970 Members
2832 Online
110124 Solutions
New Discussion

Password security for a non-trusted system

 
Skip Ford
Advisor

‎05-07-2004 04:32 AM

‎05-07-2004 04:32 AM

Password security for a non-trusted system

I have 11.11 running on a 785 workstation. I have successfully enabled:

1. Minimum password length (6-8 chars)
2. Password history depth
3. Mimimum number of upper case chars
4. Mimimum number of lower case chars
5. Minimum number of special chars
6. Minimum number of digits

There are other parameters you can use other security parameters using /etc/default/security

The parameters are:

1. MIN_PASSWORD_LENGTH=N
2. PASSWORD_HISTORY_DEPTH=N
3. PASSWORD_MIN_UPPER_CASE_CHARS=N
4. PASSWORD_MIN_LOWER_CASE_CHARS=N
5. PASSWORD_MIN_SPECIAL_CHARS=N
6. PASSWORD_MIN_DIGIT_CHARS=N

Here is a copy of my /etc/default/security file. Hope this helps.
0 Kudos
Reply
13 REPLIES 13
Geoff Wild
Honored Contributor

‎05-07-2004 05:10 AM

‎05-07-2004 05:10 AM

Re: Password security for a non-trusted system

Good information...

Also look at limiting su to root with:

SU_ROOT_GROUP and SU_ROOT_GROUP=group_name

See man security for more details...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Skip Ford
Advisor

‎05-07-2004 06:53 AM

‎05-07-2004 06:53 AM

Re: Password security for a non-trusted system

Correction. PASSWORD_HISTORY_DEPTH only works on Trusted systems. The rest works on non-Trusted systems.

Sorry.
0 Kudos
Reply
generic_1
Respected Contributor

‎05-07-2004 07:03 AM

‎05-07-2004 07:03 AM

Re: Password security for a non-trusted system

IT is good to harden your system, but Trusted would be a better way to go.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-07-2004 07:32 AM

‎05-07-2004 07:32 AM

Re: Password security for a non-trusted system

Hi Skip,

If you're not going trusted, then you should at least consider installing the Shadow Password product

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

so that a user can't grab a copy of /etc/passwd & run Crack or 'Ripper on it.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Skip Ford
Advisor

‎05-07-2004 08:18 AM

‎05-07-2004 08:18 AM

Re: Password security for a non-trusted system

I've installed the Shadowpassword product just today and it works great.

Thanks
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-07-2004 11:56 AM

‎05-07-2004 11:56 AM

Re: Password security for a non-trusted system

Skip,
Configuring your system in Trusted mode will provide you MUCH greater security and a lot less worries. Why not configure Trusted mode?

If you REALLY don't want to configure your system in Trusted mode, you can also install the HP-UX Boot Authenticator bundle (BOOTAUTH11i). You will need patch PHCO_28798 for 11.11.
Together We Stand!
0 Kudos
Reply
Skip Ford
Advisor

‎05-10-2004 12:52 AM

‎05-10-2004 12:52 AM

Re: Password security for a non-trusted system

I'm a contractor here and the powers-that-be don't seem to want to go to Trusted Mode. So I'm forced to find other means.

Thanks for the info.
0 Kudos
Reply
Linda Baranauskas_1
New Member

‎05-17-2004 11:22 PM

‎05-17-2004 11:22 PM

Re: Password security for a non-trusted system

I am new to the HP world. If you install the shadowpassword software does it create a file like the /etc/shadow that you see in UNIX?

0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎05-17-2004 11:33 PM

‎05-17-2004 11:33 PM

Re: Password security for a non-trusted system

Hi Linda,

Yes it does :-)

Take a look at the documentation

----

HP-UX Shadow Passwords
Increasing computational power available to password crackers has made the non-hidden passwords in the UNIX /etc/passwd file vulnerable to decryption. Shadow Passwords enhance system security by hiding user encrypted passwords in a shadow password file. Encrypted passwords previously stored in the publicly readable /etc/passwd file can be optionally moved to the /etc/shadow file, which is accessible only by a privileged user.

----

More info can be found on below link.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Kind regards,
Robert-Jan
0 Kudos
Reply
Linda Baranauskas_1
New Member

‎05-18-2004 03:07 AM

‎05-18-2004 03:07 AM

Re: Password security for a non-trusted system

Robert-Jan,

Thanks for the reply. I am doing a security review on a system running HP-UX 10.20. Is the shadow file applicable to this version and is it possible that they may have placed it elsewhere, say in a tcb/auth somewhere?

Linda
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎05-18-2004 03:13 AM

‎05-18-2004 03:13 AM

Re: Password security for a non-trusted system

Hi Linda,

No there is no shadow password file for 10.20 or 11.0 This product requires HP-UX 11.11.

Kind regards,
Robert-Jan
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-18-2004 05:43 AM

‎05-18-2004 05:43 AM

Re: Password security for a non-trusted system

Securing 10.20 is going to be very difficult as most modern tools such as Bastille, Shadow Password, the security policy file, etc, were never available for this obsolete opsystem. It will take a lot of time to harden 10.20, especially if you have applications that are not tolerant of typical security controls.


Bill Hassell, sysadmin
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-18-2004 03:43 PM

‎05-18-2004 03:43 PM

Re: Password security for a non-trusted system

Hello Skip,
I assume this is your first experience on the ITRC forum as you did not award points to the forumers for the answers you were provided. May I suggest that you take a look at the following link to learn about the points system in use here. Thanks.

http://forums1.itrc.hp.com/service/forums/helptips.do?#28

Please read the article, assess the assistance you were provided by the forumers, then reward them. Thanks!
Together We Stand!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.