HPE Community
Operating System - HP-UX
1833779 Members
1943 Online
110063 Solutions
New Discussion

Password Strengthening 2

 
SOLVED
Go to solution
Fabrizio Tedone
Occasional Contributor

‎06-14-2004 10:25 PM

‎06-14-2004 10:25 PM

Password Strengthening 2

Hello,
following the suggestions I've found in the Password Strengthening thread, I'm try to implement some password checks, specifically minimum password length and history depth.
I know there is a way to implement this using /etc/default/security file, but when I do 'man security' on my system (HP-UX 11),
I get no manual entry for security. What I'm doing wrong ? Thanks
0 Kudos
Reply
8 REPLIES 8
Ken Penland_1
Trusted Contributor

‎06-14-2004 10:31 PM

‎06-14-2004 10:31 PM

Solution

Re: Password Strengthening 2

As an example, our security file looks like this:

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=3
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

I found this to also assist you:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/5187-2783/5187-2783_top.html&con=/hpux/onlinedocs/5187-2783/00/01/127-con.html&toc=/hpux/onlinedocs/5187-2783/00/01/127-toc.html&searchterms=security&queryid=20040517-105549
'
Reply
Pete Randall
Outstanding Contributor

‎06-14-2004 10:35 PM

‎06-14-2004 10:35 PM

Re: Password Strengthening 2

Go here:

http://docs.hp.com/hpux/onlinedocs/B2355-90696/B2355-90696.html

Then click on "volume 8", which will give you "Section 4 - File Formats". Under the "s" section, you will find the man page for "security".


Pete

Pete
Reply
Bill Hassell
Honored Contributor

‎06-15-2004 12:43 AM

‎06-15-2004 12:43 AM

Re: Password Strengthening 2

The section 4 man page for security is missing in 11.0 and various security patches will implement new keywords in /etc/default/security. The docs.hp.com man page is up to date and most features listed will work on 11.0.

However: you need to be up to date on security patches. You need to test each parameter setting to see if it works because there is no error log for misspelled or unimplemented keywords. Comments must start with # in column 1. Trailing # characters will cause the entire line to be ignored. Here's a sample security file with lots of comments:

# Security file: /etc/default/security
# man security

# Features depend on HP-UX rev and patches. Not all features are
# available on older systems.
#
# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=0

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

MIN_PASSWORD_LENGTH=6
PASSWORD_HISTORY_DEPTH=1
PASSWORD_MIN_UPPER_CASE_CHARS=0
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=0

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

# PASSWORD_MAXDAYS=120
# PASSWORD_MINDAYS=7
# PASSWORD_WARNDAYS=7

# Session controls
##################

SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
UMASK=022
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD


Bill Hassell, sysadmin
Reply
Fabrizio Tedone
Occasional Contributor

‎06-15-2004 12:52 AM

‎06-15-2004 12:52 AM

Re: Password Strengthening 2

Thanks Bill (and thanks Pete and Ken too).
So my understanding is that security file works either in not-trusted or trusted system; am I right ? I just need to create the file and switch to trusted system to implement the checks I need, right ? Finally, from you example file I see that I can implement also a basic alphanumeric check on the password, using PASSWORD_MIN_DIGIT_CHARS: if this keyword is missing only letters are allowed in the password ? Thanks again!
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎06-15-2004 01:34 AM

‎06-15-2004 01:34 AM

Re: Password Strengthening 2

Fabrizio,

Yes, all your understandings are correct.


Pete

Pete
Reply
Bill Hassell
Honored Contributor

‎06-15-2004 03:54 AM

‎06-15-2004 03:54 AM

Re: Password Strengthening 2

/etc/default/security is recognized in an untrusted system but VERY FEW options will work. For untrusted, no password history, password length max is 8, no limit on number of logins, and so on. There is no /tcb database structure for these elements.


Bill Hassell, sysadmin
Reply
Fabrizio Tedone
Occasional Contributor

‎06-17-2004 10:41 PM

‎06-17-2004 10:41 PM

Re: Password Strengthening 2

But in trusted systems, it is possible to define NUMBER_OF_LOGINS_ALLOWED with different values depending on the user ?
thanks!
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-18-2004 12:28 AM

‎06-18-2004 12:28 AM

Re: Password Strengthening 2

The /etc/defaults/security file is a global settings file. Any limit in that file applies to all users. You'll see in the man page for security that there are no options for individual user logins except BOOT_USERS and implicit userlogins for the SU_ROOT_GROUP. Tjhe man pages for modprpw and prpwd will detail what can be specified for a specific user.

In a Trusted system, you do have the ability to limit when a specific user can login but not how many times. To control user logins (not ftp or 'r' commands like remsh) you can call the attached script in /etc/profile (and rewrite for /etc/csh.login if you have csh users). This code assumes that you have created a file called /etc/login.limit which has 1 user login per line followed by the number of logins allowed. If the number is missing, the value is unlimited and root is not restricted.



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.