HPE Community
Operating System - HP-UX
1850966 Members
5128 Online
104056 Solutions
New Discussion

Re: SAM Password Administration

 
Mike Waibel
Advisor

‎07-29-2005 12:50 AM

‎07-29-2005 12:50 AM

SAM Password Administration

I want to automatically notify users to change thier passwords periodically and force them to use a "strong" password (i.e.-Gnomes05!). Is this possible with SAM or is there another software package I can install to do this?
0 Kudos
Reply
20 REPLIES 20
Pete Randall
Outstanding Contributor

‎07-29-2005 12:51 AM

‎07-29-2005 12:51 AM

Re: SAM Password Administration

Mike,

Take a look at "man security". Be aware, however, that many of the more advanced features of /etc/default/security require your system to be trusted.


Pete

Pete
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 12:54 AM

‎07-29-2005 12:54 AM

Re: SAM Password Administration

As Pete stated,the features you are looking for are availble in trusted mode.You can easily convert to trusted mode via SAM.
0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 01:00 AM

‎07-29-2005 01:00 AM

Re: SAM Password Administration

Thanks!!
0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 01:02 AM

‎07-29-2005 01:02 AM

Re: SAM Password Administration

What are the pitfalls of going to a trusted system? What problems might I encounter?
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 01:13 AM

‎07-29-2005 01:13 AM

Re: SAM Password Administration

One common pitfall is the deactivation of the root account! The default failed login attempts is three, and for some reason or other, a sysadmin will lock the root account.

Two ways to get reactivate the account
If there is a root window open run the command modprpw -k root to reactivate it
or
log in from the console as root

Another "issue" may be the status of little used accounts. An account may be disabled from lack of use (a good thing from a security point of view, but bad from the user point of view)

I have converted several systems to trusted, and have not encountered any other issues. There is an added bonus to going to trusted - it eliminates an audit point, if your system is is ever audited for security.

0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 01:17 AM

‎07-29-2005 01:17 AM

Re: SAM Password Administration

If I do have problems, can I just switch back? Does switching to and from a trusted system require any reboot or disruption?
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 01:32 AM

‎07-29-2005 01:32 AM

Re: SAM Password Administration

Switching back is simple - I believe the command tsconvert -r
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 01:36 AM

‎07-29-2005 01:36 AM

Re: SAM Password Administration

I forgot to mention - no reboot required and no interuptions
0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 01:44 AM

‎07-29-2005 01:44 AM

Re: SAM Password Administration

/etc/default/security does not exist on my system. What's up??
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 02:08 AM

‎07-29-2005 02:08 AM

Re: SAM Password Administration

Not sure why, but the following thread should prove helpful

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=833100
0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 02:53 AM

‎07-29-2005 02:53 AM

Re: SAM Password Administration

Thanks for the tip, but still don't know for sure when and how the /etc/default/security file is created.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-29-2005 02:56 AM

‎07-29-2005 02:56 AM

Re: SAM Password Administration

Mike,

The file does not exist by default and must be created manually. The man page will show you format of the entries.


Pete

Pete
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎07-29-2005 02:57 AM

‎07-29-2005 02:57 AM

Re: SAM Password Administration

Did you convert your system to a trusted system yet ? If yes and you do not have the file, just go ahead and create it with these lines in it:

ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
NOLOGIN=1
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1

with permissions of 444 It is not a magical file.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Mike Waibel
Advisor

‎07-29-2005 02:58 AM

‎07-29-2005 02:58 AM

Re: SAM Password Administration

Does SAM write to this file once I have changed to a trusted system and created the file?
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎07-29-2005 03:02 AM

‎07-29-2005 03:02 AM

Re: SAM Password Administration

I never modified this file by sam but I am sure one or more of these parameters in the file are modifiable by sam, in which case it may write on it. But again this is an assumption. I create this file upon completion of a turted system conversion while I am building a new system. An usually it stays the same for the life of the system unless we get a new request from security team to deploy/chnge a setting, in which case, modification of the file and pushing it out to the other servers from a central location is how I do it.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
DCE
Honored Contributor

‎07-29-2005 03:06 AM

‎07-29-2005 03:06 AM

Re: SAM Password Administration

Looks like you might need a patch - PHCO_33215
might not hurt to have PHCO_27694 and PHCO_27781
0 Kudos
Reply
generic_1
Respected Contributor

‎07-29-2005 03:10 AM

‎07-29-2005 03:10 AM

Re: SAM Password Administration

It would not be a bad idea to do a maketaperecovery before doing all this :).
Also do a /usr/lbin/gerprpw account on your accounts and make sure no one esspecially root is locked out, at least if they are not supposed to be. If its all 0s on the lockout=000000 you are good. 1s mean its locked.
/usr/lbin/modprpw -k will unlock the account
/usr/lbin/modprpw -v will reset the time to expire for an account. Make sure your time to expire accounts is set to what you want. getprpw will show you allot of information about your accounts that you may want to know as an admin. Trusted is the way to go not only because it offers more features, but that it is more secure too.

Good Luck.
0 Kudos
Reply
Mike Waibel
Advisor

‎08-01-2005 05:56 AM

‎08-01-2005 05:56 AM

Re: SAM Password Administration

I am a bit confused. Does SAM allow me to assign different password security options on a per user basis on a trusted system?

And what about the /etc/default/security file.
Does this apply to all users or does SAM override this?? Does this file exist for each user??
0 Kudos
Reply
DCE
Honored Contributor

‎08-01-2005 06:58 AM

‎08-01-2005 06:58 AM

Re: SAM Password Administration

I am a bit confused. Does SAM allow me to assign different password security options on a per user basis on a trusted system?

Yes

And what about the /etc/default/security file.
Does this apply to all users or does SAM override this?? Does this file exist for each user??

System file that contains default security settings is for all users - settings that are customized are stored in the TCB and override defaults in /etc/default/security
0 Kudos
Reply
Mike Waibel
Advisor

‎08-01-2005 08:05 AM

‎08-01-2005 08:05 AM

Re: SAM Password Administration

Thanks, That helps clear the air.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.