Operating System - HP-UX
1839275 Members
2930 Online
110138 Solutions
New Discussion

Re: System wide password Format on Trusted System 11.11?

 
SOLVED
Go to solution
rmueller58
Valued Contributor

System wide password Format on Trusted System 11.11?

We are looking at ways to improve password policies.

I see parameters in:
/tcb/files/auth/system/
default:

I want to know is there a way to define parameters, to set password format
and minimum length?

We would like to set a minimum password length and force the use of a alpha/numeric/character mix.


Can someone explain or suggest ways to enforce "minimum length" and "format requirements" (such as alpha/numeric/characters)

I see in SAM you can make the system
GENERATE
- Pronouncable
- Character
- Letters Only
- User Specifies

DO you procedurally use "User Specifies" and ask the User to use a mix ? Or is there a way when the user resets there password to require the specify a minimum format requirement?

And a minimum length?

Replies, links, ideas all appreciated.


14 REPLIES 14
Mel Burslan
Honored Contributor
Solution

Re: System wide password Format on Trusted System 11.11?

did you check /etc/default/security file yet ?

here is how mine looks:

[root@nomad:/root]
# ll /etc/default/security
-r--r--r-- 1 bin bin 2538 Oct 31 2007 /etc/default/security
[root@nomad:/root]
# grep -v ^# /etc/default/security | grep -v ^$
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MAXDAYS=91
PASSWORD_MINDAYS=1
PASSWORD_WARNDAYS=7
SU_ROOT_GROUP=sysadm

________________________________
UNIX because I majored in cryptology...
rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

Mel,

this is a trusted 11.11 system.. I do not have
the /etc/default/security file..
Hakki Aydin Ucar
Honored Contributor

Re: System wide password Format on Trusted System 11.11?

Did you check the ;

/tcb/files/auth/system/default

BTW ; The file in question is /etc/default/security does not exist by default. But if we create it, we can use a variable called

PASSWORD_HISTORY_DEPTH:3

In this case, a new password is checked against the last three passwords. If the new password is the same as a previous password, the user must choose a different one. Password histories are stored in files under the directory /tcb/files/auth/system/pwhist:
James R. Ferguson
Acclaimed Contributor

Re: System wide password Format on Trusted System 11.11?

Hi:

You might want to consider that Trusted Systems are deprecated with 11.31 and will not be supported in successive releases.

As Mel pointed out, the '/etc/default/security' file (and shadow passwords) are part of the basis for future security enhancements in HP-UX. You might want to consider beginning this transition.

For 11.11 the Shadow Password product can be obtained here:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Regards!

...JRF...
rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

So, will the /etc/default/security work on the trusted system?

(per JRF) it would require we install the "Shadow Password Depot"?

Does this Depot overlay the tcb/trusted system or do we need to unconvert the trusts?

Pete Randall
Outstanding Contributor

Re: System wide password Format on Trusted System 11.11?

Yes, it will work on trusted systems. If you don't have one, just create it. You can use Mel's as a template.


Pete

Pete
Pete Randall
Outstanding Contributor

Re: System wide password Format on Trusted System 11.11?

Oh - and the security man page will guide you on the rest of the parameters.


Pete

Pete
rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

Thanks Pete..

I will take a look at both.

rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

Thanks All. As usual.. Many thanks.. Wish I could contribute as much as I get back from you all.

rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

Are changes made to the /etc/default/security
take prececent over user TCB files or is this
file subservient of tcb security?


Bill Hassell
Honored Contributor

Re: System wide password Format on Trusted System 11.11?

/etc/default/security and the /tcb entries are 'merged' together. It is quite painful to try to figure all this out by inspection. Start by creating a complete /etc/default/security file. I have attached a sample here. NOTE: if you do not keep up on patches, some of the items will be ignored. Note also (as the comments state in the file), the "#" character cannot be used on the same line as a desired setting. The code blindly skips any line with # in it.

I have attached a sample security file. In my next post, I have attached a security definition script that will summarize all the settings in your current system.

Note that while Trusted is deprecated for the future, the replacement choices are not as capable. Unless you plan on moving to the next version past 11.31 (not out yet), I would stay with Trusted. Adding Shadow Passwords will be fairly confusing when you see all the limitations.


Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: System wide password Format on Trusted System 11.11?

Here is the security settings script. It should give you virtually all of the current settings. SAM is also useful but a lot more cumbersome to locate and set the values.


Bill Hassell, sysadmin
Hakki Aydin Ucar
Honored Contributor

Re: System wide password Format on Trusted System 11.11?

Hi,

I also recommend that you can read this post as addendum knowledge, I think it is very useful especially the future of Trusted Systems and their disadvantages:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1371250

Regards.
rmueller58
Valued Contributor

Re: System wide password Format on Trusted System 11.11?

Thanks All.

I appreciate the assistance ..