HPE Community
Operating System - HP-UX
1850487 Members
3121 Online
104054 Solutions
New Discussion

Re: system default values on 11i

 
SOLVED
Go to solution
cokster
Occasional Contributor

‎09-30-2003 03:24 AM

‎09-30-2003 03:24 AM

system default values on 11i

What are the default settings on 11i (non-trusted mode)for
1. password aging
2. minimum password length
3. # of unsuccessful attempt before the acct. is locked
4. session timeout

If there are no default settings, how can I enforce these security policies? I can't convert to TCB or use pwconv due to the incompatibility with the NIS environment we are using here.
0 Kudos
Reply
7 REPLIES 7
Pete Randall
Outstanding Contributor

‎09-30-2003 03:26 AM

‎09-30-2003 03:26 AM

Re: system default values on 11i

On a non-trusted system, your only options are defined in /etc/default/security. Do a man on security to give you an idea of the capabilities available.


Pete


Pete
Reply
Patrick Wallek
Honored Contributor

‎09-30-2003 03:27 AM

‎09-30-2003 03:27 AM

Solution

Re: system default values on 11i

1) None - Can be modified through SAM to set an expiration in weeks, I think.
2) Not sure - Options are available by using the /etc/default/security file. 'man security' for more info.
3) None - Can't do it in non-trusted mode.
4) check the TMOUT environment variable. I don't think it is set by default. Set the TMOUT in /etc/profile or in the users .profile.
Reply
Ken Hubnik_2
Honored Contributor

‎09-30-2003 03:31 AM

‎09-30-2003 03:31 AM

Re: system default values on 11i

I have never used it but there is a pluggable module on HPUX. Do a man on pam

man pam

Not sure about using it with NIS
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 03:42 AM

‎09-30-2003 03:42 AM

Re: system default values on 11i

You can use the script I'm attaching with modifications to set password aging with the passwd command.

HP-UX is a secureable, not secure out of the box OS. Its up to us admins to lock it down.

The script is a utitity script based on Pete Randall's work.

2. Six characters one as a number is what we have on our 11.00 system and I don't THINK we changed the default.

3. As noted, the TMEOUT variable, which won't work while actually running an application, it will timeout ssh/telnet sessions though.

4. ??
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
cokster
Occasional Contributor

‎09-30-2003 03:51 AM

‎09-30-2003 03:51 AM

Re: system default values on 11i

steven, does your script work with NIS?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-30-2003 04:09 AM

‎09-30-2003 04:09 AM

Re: system default values on 11i

From "man useradd":

This command is aware of NIS user and group entries. Only local users
and groups may be modified with this command. Attempts to modify an
NIS user or group will result in an error.

As for the script, my admittedly pitiful scripting skills can't figure out what it does!


Pete



Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-30-2003 04:15 AM

‎09-30-2003 04:15 AM

Re: system default values on 11i

I think the script has the pertinent line commented out:
# passwd -r file -n $MINDAYS -x $MAXDAYS $user

If you look at "man passwd", you'll see that there is a "passwd -r nis" option which at least implies that it should work with NIS.


Pete


Pete
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.