Re: Password security for a non-trusted system

Skip Ford · ‎05-07-2004

I have 11.11 running on a 785 workstation. I have successfully enabled:

1. Minimum password length (6-8 chars)
2. Password history depth
3. Mimimum number of upper case chars
4. Mimimum number of lower case chars
5. Minimum number of special chars
6. Minimum number of digits

There are other parameters you can use other security parameters using /etc/default/security

The parameters are:

1. MIN_PASSWORD_LENGTH=N
2. PASSWORD_HISTORY_DEPTH=N
3. PASSWORD_MIN_UPPER_CASE_CHARS=N
4. PASSWORD_MIN_LOWER_CASE_CHARS=N
5. PASSWORD_MIN_SPECIAL_CHARS=N
6. PASSWORD_MIN_DIGIT_CHARS=N

Here is a copy of my /etc/default/security file. Hope this helps.

Geoff Wild · ‎05-07-2004

Good information...

Also look at limiting su to root with:

SU_ROOT_GROUP and SU_ROOT_GROUP=group_name

See man security for more details...

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Skip Ford · ‎05-07-2004

Correction. PASSWORD_HISTORY_DEPTH only works on Trusted systems. The rest works on non-Trusted systems.

Sorry.

generic_1 · ‎05-07-2004

IT is good to harden your system, but Trusted would be a better way to go.

Jeff Schussele · ‎05-07-2004

Hi Skip,

If you're not going trusted, then you should at least consider installing the Shadow Password product

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

so that a user can't grab a copy of /etc/passwd & run Crack or 'Ripper on it.

My 2 cents,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Skip Ford · ‎05-07-2004

I've installed the Shadowpassword product just today and it works great.

Thanks

Dani Seely · ‎05-07-2004

Skip,
Configuring your system in Trusted mode will provide you MUCH greater security and a lot less worries. Why not configure Trusted mode?

If you REALLY don't want to configure your system in Trusted mode, you can also install the HP-UX Boot Authenticator bundle (BOOTAUTH11i). You will need patch PHCO_28798 for 11.11.

Together We Stand!

Skip Ford · ‎05-10-2004

I'm a contractor here and the powers-that-be don't seem to want to go to Trusted Mode. So I'm forced to find other means.

Thanks for the info.

Linda Baranauskas_1 · ‎05-17-2004

I am new to the HP world. If you install the shadowpassword software does it create a file like the /etc/shadow that you see in UNIX?

Robert-Jan Goossens · ‎05-17-2004

Hi Linda,

Yes it does :-)

Take a look at the documentation

----

HP-UX Shadow Passwords
Increasing computational power available to password crackers has made the non-hidden passwords in the UNIX /etc/passwd file vulnerable to decryption. Shadow Passwords enhance system security by hiding user encrypted passwords in a shadow password file. Encrypted passwords previously stored in the publicly readable /etc/passwd file can be optionally moved to the /etc/shadow file, which is accessible only by a privileged user.

----

More info can be found on below link.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Kind regards,
Robert-Jan

Linda Baranauskas_1 · ‎05-18-2004

Robert-Jan,

Thanks for the reply. I am doing a security review on a system running HP-UX 10.20. Is the shadow file applicable to this version and is it possible that they may have placed it elsewhere, say in a tcb/auth somewhere?

Linda

Robert-Jan Goossens · ‎05-18-2004

Hi Linda,

No there is no shadow password file for 10.20 or 11.0 This product requires HP-UX 11.11.

Kind regards,
Robert-Jan

Bill Hassell · ‎05-18-2004

Securing 10.20 is going to be very difficult as most modern tools such as Bastille, Shadow Password, the security policy file, etc, were never available for this obsolete opsystem. It will take a lot of time to harden 10.20, especially if you have applications that are not tolerant of typical security controls.

Bill Hassell, sysadmin

Dani Seely · ‎05-18-2004

Hello Skip,
I assume this is your first experience on the ITRC forum as you did not award points to the forumers for the answers you were provided. May I suggest that you take a look at the following link to learn about the points system in use here. Thanks.

http://forums1.itrc.hp.com/service/forums/helptips.do?#28

Please read the article, assess the assistance you were provided by the forumers, then reward them. Thanks!

Together We Stand!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Password security for a non-trusted system

Password security for a non-trusted system