HPE Community
Operating System - HP-UX
1837535 Members
3660 Online
110117 Solutions
New Discussion

Security file on untrusted

 
Unix Support_2
New Member

‎11-28-2003 04:27 AM

‎11-28-2003 04:27 AM

Security file on untrusted

Hi,

I would like to know that how I can get or which patch to install in order to get following functionality.

PASSWORD_HISTORY_DEPTH
PASSWORD_MIN_UPPER_CASE_CHARS
PASSWORD_MIN_LOWER_CASE_CHARS
PASSWORD_MIN_DIGIT_CHARS
PASSWORD_MIN_SPECIAL_CHARS

and deactive the user account if more then 5 times login failed.


Thanks in advance
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎11-28-2003 04:33 AM

‎11-28-2003 04:33 AM

Re: Security file on untrusted

The attached script, which checks root can give you the ability to track bad logins via the btmp file and disable the account based on finding 5 bad logins.

The part that disables the account is commented out on purpose because I don't want root disabled on this basis. My systems are trusted so that part of the code is not relavent.

See atttachment.

As far of these other items go, you can't even do all of them with a trusted system. You'll probably need to get a custom app to enforce tose restrictions.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-28-2003 04:34 AM

‎11-28-2003 04:34 AM

Re: Security file on untrusted

I'm attaching a utility script that can implement some of your features. Is based on a Pete Randall post.

Take a look at the commented code.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-28-2003 06:01 AM

‎11-28-2003 06:01 AM

Re: Security file on untrusted

For an untrusted system there is no password history so you have to implement this feature with a special set of programs and scripts. The man page for security (man security) will give you the details but this file and the usable items have been a moving target and there are different patches for different features and opsystem revisions. While there is just a simple file with the parameters and settings, there are several modules that must be patched to activate these parameters. For 11.11, most all authentication goes through PAM while at 11.0, there are other modules that are independent of PAM. For example: PASSWORD_HISTORY_DEPTH requires a patch (PHCO_26089) for 11.0, but is standard for 11.11.

However, there is no user deactivation in a non-trusted system as there is no location to count failures. There's no workaround for this other than trying to create some sort of replacement passwd program (not an easy task).


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.