HPE Community
Operating System - HP-UX
1834209 Members
2047 Online
110066 Solutions
New Discussion

password security for a non trusted system.

 
SOLVED
Go to solution
Mark Harshman_1
Regular Advisor

‎05-04-2004 03:14 AM

‎05-04-2004 03:14 AM

password security for a non trusted system.

I'm running HP 11.11, and not trusted system. I'm trying to figure out where the security defaults come from, such as minimum time between password changes, password duration, etc. I do not have a /etc/default/security file on this system. your help is appreciated. thanks
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
9 REPLIES 9
RAC_1
Honored Contributor

‎05-04-2004 03:20 AM

‎05-04-2004 03:20 AM

Re: password security for a non trusted system.

Options that you have are limited, when the system is not in trusted mode.

man 4 security will give you details.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-04-2004 03:27 AM

‎05-04-2004 03:27 AM

Re: password security for a non trusted system.

with passwd appy police security without running mode trusted system

passwd -r files [-d|-l] [-f] [-n min] [-w warn] [-x max] na

the change impact in /etc/default/security

man passwd

example

Password History
The system administrator can enable the password history feature to
discourage users from reusing previously used passwords. To enable
the password history feature, the system administrator should create a
file (or open the file if it already exists) named security under
directory /etc/default and append to it one line content
PASSWORD_HISTORY_DEPTH=number. The line contains three keywords,
PASSWORD_HISTORY_DEPTH, =, and a decimal number which is the desired
depth for the password history check. If the number is 2, the user's
new password will be checked against two previously used passwords.
One is the current password, and the other one is the password used
before the current password. A configuration of password history
depth of 2 prevents users from alternating between two passwords. The
maximum password history depth supported is 10 and the minimum
password history depth supported is 1. A depth configuration of more
than 10 will be treated as 10, and a depth configuration of less than
1 will be treated as 1.

EXAMPLE: iN MY SYSTEM
# more /etc/default/security
PASSWORD_HISTORY_DEPTH=10


# more /etc/default/useradd
#default useradd options
HOMEDIR /home
GROUPID 20
INACT -1
EXPIRE



legionx
0 Kudos
Reply
Mark Harshman_1
Regular Advisor

‎05-04-2004 03:48 AM

‎05-04-2004 03:48 AM

Re: password security for a non trusted system.

thanks for the replys. But the issue i am seeing, is i have some sort of security in place, but do not have a /etc/defaults/securty file. Where would it get this info? i tried changing a password for an id, twice in a row, and on the second attempt i got a msg that said it had been <27 weeks since my last password change. i'm basically trying to determine where this default security info comes from if there IS no security file in place. thanks
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
Darren Prior
Honored Contributor

‎05-04-2004 03:50 AM

‎05-04-2004 03:50 AM

Re: password security for a non trusted system.

Hi,

If you're not running a trusted system and there is no security file then there will be no defaults for minimum time between password changes, password duration, password ageing.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-04-2004 04:04 AM

‎05-04-2004 04:04 AM

Re: password security for a non trusted system.

Hi,

Are you *sure* the system is not truested.
What does
ll /tcb/files/auth/system
return - anything?
If it does your system is indeed trusted & that's coming from the default file in that dir.

If you are truly not trusted then it's possible you have a custom PAM (Pluggable Authentication Module) installed. Check the /usr/lib/security for new files.

Other possibilities would be 3rd party products like Control-SA or PowerBroker & such.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
generic_1
Respected Contributor

‎05-04-2004 08:29 AM

‎05-04-2004 08:29 AM

Re: password security for a non trusted system.

Another way to see if you are trusted is to run /usr/lbin/getprpw Username.

If your system is not trusted you will get an error back to that effect. Also if your system is trusted it will return all of the security settings for that user :).

Good luck
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-04-2004 08:54 AM

‎05-04-2004 08:54 AM

Solution

Re: password security for a non trusted system.

Hi,

Try this link,

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000067130219

The itrc doc id is KBAN00000715.

Hope this helps.

Regds
Reply
Bill Hassell
Honored Contributor

‎05-04-2004 03:07 PM

‎05-04-2004 03:07 PM

Re: password security for a non trusted system.

There are only 2 numbers associated with a non-trusted system: password expiration time and minimum time required before changing a password. Since there is no place to store password history, entries in /etc/default/security are silently ignored. Type the command: man security

For 11.00 and higher (with security patches) you can use:

NOLOGIN=1
MIN_PASSWORD_LENGTH=8
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=1

in the security file. If you run SAM and select Security/Auditing, you'll see no choices for security policies. You'll have to create the security file manually, owned by root, 644 permission. NOTE: the man page for security has been constanly changing with security patches. If you aren't up to date on patches, options mentioned on another system may not apply (and are silently ignored). Note also that unlike shell scripts, a # at the end of an option will cause the entire line to be ignored. Put all comments on separate lines.


Bill Hassell, sysadmin
0 Kudos
Reply
Mark Harshman_1
Regular Advisor

‎05-05-2004 01:36 AM

‎05-05-2004 01:36 AM

Re: password security for a non trusted system.

thanks for all the info.
Never underestimate the power of stupid people in large groups
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.