HPE Community
Operating System - HP-UX
1844168 Members
2488 Online
110229 Solutions
New Discussion

Re: passwords

 
SOLVED
Go to solution
Oliver Schmitz
Regular Advisor

‎04-15-2005 01:12 AM

‎04-15-2005 01:12 AM

passwords

Dear all,

what is the maximum length of passwords on HP-UX 11.i systems. I took in this area the default settings, what are they exactly?

Does anybody have some hints for my what is checked on passwords and how to increase security with additional checks on the users passwords?

Regards,

Oliver
Oliver Schmitz
0 Kudos
Reply
9 REPLIES 9
Pete Randall
Outstanding Contributor

‎04-15-2005 01:17 AM

‎04-15-2005 01:17 AM

Solution

Re: passwords

Though I believe you can exceed it, 8 characters is the practical limit for passwords. For security checks, have a look "man security". To utilize all of the options available, you would have to convert to a trusted system, but many of them can be implemented on a conventional system as well.


Pete

Pete
Reply
Anthony Lennan
Valued Contributor

‎04-15-2005 01:20 AM

‎04-15-2005 01:20 AM

Re: passwords

Hi Oliver,

I'm not sure about the maximum length passwd allowable but on an untrusted system only the first 8 characters are actually relevant (according to the man page for passwd).

To increase passwd checking security you can get a HP software product called Password Plus (PWP). I would also recommend upgrading to a trusted system if user security is a real issue.

Rgds,
Anthony

From the passwd man page:
Password Construction Requirements
Passwords must be constructed to meet the following requirements:

+ On an untrusted system, only the first eight characters of a
password are significant.

+ On an untrusted system, passwords of non-root users must have at
least six characters. On a trusted system, passwords of all
users must have at least six characters. This restriction on the
password length can be increased to a value larger than six.
Refer to the security(4) manual page for detailed information on
configurable parameters that affect the behavior of this command.
The parameter to select the minimum password length is

MIN_PASSWORD_LENGTH

+ Characters must be from the 7-bit US-ASCII character set; letters
from the English alphabet.

+ A password must contain at least two letters and at least one
numeric or special character.

+ A password must differ from the user's login name and any reverse
or circular shift of that login name. For comparison purposes,
an uppercase letter and its corresponding lowercase equivalent
are treated as identical.

+ A new password must differ from the old one by at least three
characters (one character for non super user if changed by the
super user in a trusted system).
Reply
Peter Godron
Honored Contributor

‎04-15-2005 01:28 AM

‎04-15-2005 01:28 AM

Re: passwords

Oliver,
the thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=583735
(even has attached script)
may be very useful to your situation.
Regards
Reply
Oliver Schmitz
Regular Advisor

‎04-15-2005 01:36 AM

‎04-15-2005 01:36 AM

Re: passwords

dear pete,

thanks a lot for this advice with the man security. as allways the next question arises suddenly: I tried to find the /etc/defaults/security change some settings but unfortunately it is not there. in this directory only useradd, fs, and tz are located.
Is there anything to do to create it?

How to convert a system into a trusted system?

To bother you all not the whole afternoon with my very basic questions: Is there a white paper on the security aspects of HP-UX 11?

Thanks again,

Oliver
Oliver Schmitz
0 Kudos
Reply
Anthony Lennan
Valued Contributor

‎04-15-2005 01:55 AM

‎04-15-2005 01:55 AM

Re: passwords

Hi Oliver,

Have a look at http://h21007.www2.hp.com/dspp/files/unprotected/hpux/UX11i_CoreSecurity_WP_FINAL.pdf

Rgds,
Anthony
Reply
Pete Randall
Outstanding Contributor

‎04-15-2005 02:03 AM

‎04-15-2005 02:03 AM

Re: passwords

First, do a man on security. Then, if you don't have a file /etc/default/security, simply create one. The format is given in the man page.


Pete

Pete
Reply
Lisa Callison
Occasional Advisor

‎04-15-2005 02:12 AM

‎04-15-2005 02:12 AM

Re: passwords

Trusting is quick, but I would suggest trying it on a test system first, some applications aren't happy with running this command while up, (eg Informix) so I would shut down applications first and then run /etc/tsconvert to trust the system, this will create /tcb/files/auth directory with a directory for each letter of the alphabet which holds encrypted passwords for each user. It updates the /etc/passwd file to just show a '*' in the password field. To convert back to an untrusted system, simply run /etc/tsconvert -r, it will remove the /tcb directory and put the passwords back in the /etc/passwd file.

Trusting provides more security, details of which are in the white paper (earlier response).
Reply
Oliver Schmitz
Regular Advisor

‎04-15-2005 02:16 AM

‎04-15-2005 02:16 AM

Re: passwords

Dear all,

thank you very much indeed for this quick course in basic security. If I had (as it was) no /etc/default/security file and I created one as described in one of the replies, how can I make my system use this settings?
Do I have to reboot?

Regs,

Oliver
Oliver Schmitz
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-15-2005 02:17 AM

‎04-15-2005 02:17 AM

Re: passwords

It's probably safer (and the recommended way) to convert to trusted by using SAM. SAM automatically handles password expiration so you don't have problems logging in after the conversion.


Pete

Pete
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.