HPE Community
Operating System - HP-UX
1838646 Members
2410 Online
110128 Solutions
New Discussion

Re: Trusted Syetem and Password policies

 
SANTOSH S. MHASKAR
Trusted Contributor

‎07-08-2007 07:04 PM

‎07-08-2007 07:04 PM

Trusted Syetem and Password policies

Hi all,

2 days back applied patch PHCO_35250 with all dependencies on
my server (hp rp4440, HP-UX 11.11) and converted system to trusted mode by using SAM.

I have following settings in /etc/default/security file.

-------------------
## Security definitions for wfms2.com

## Exit the login session if the user's home directory does not exist.

ABORT_LOGIN_ON_MISSING_HOMEDIR=1

## 1 number of logins are allowed per user

NUMBER_OF_LOGINS_ALLOWED=0

MIN_PASSWORD_LENGTH=8
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_LOWER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1
----------------------

Only last 5 lines for password is working,

even I set NUMBER_OF_LOGINS_ALLOWED=1

the system is allowing many simulteneous logins,

I also want to lock user when they r inactive, unsuccessful login attempts etc.

For this what I have to use ? /etc/default/security file or
should I enable this from SAM.

Are these 2 methods different?

Also the passowrd settings in /etc/default/security were not working
before making system to trusted system.
Does this mean that to make setting in /etc/default/security effective
one has to make the system trusted.

Pl guide.


-Santosh
0 Kudos
Reply
6 REPLIES 6
SANTOSH S. MHASKAR
Trusted Contributor

‎07-08-2007 10:29 PM

‎07-08-2007 10:29 PM

Re: Trusted Syetem and Password policies

Hi,

Pl. guide me on this, it is very urgent.


Thanks in advance.


-Santosh
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-08-2007 11:02 PM

‎07-08-2007 11:02 PM

Re: Trusted Syetem and Password policies

> Only last 5 lines for password is working,

I assume you mean that the password rules listed above are working.

> even I set NUMBER_OF_LOGINS_ALLOWED=1

How are your users connecting? Are they using ssh? Or telnet? Or are they using Xwindows? Xwindows has a very big problem with normal Unix behavior in that the X11 terminal emulators do not login normally but bypass standard Unix features, specifically by running shells without a login flag. This means that /etc/profile and .profile are never run and thus, these users do not have a dash (as in -sh or -ksh) as their primary shell.

To fix this, have each user do this (one time):

echo "*loginShell: true" >> $HOME/.Xdefaults

then logout and login again. Now the users should see a normal login and the login limit should be working.

NOTE: setting the limit=1 may cause many, many problems with database and other applications that may require several logins at the same time. In this case, you can add some code in /etc/profile to test for restricted users and exit if a login session is already running.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-08-2007 11:10 PM

‎07-08-2007 11:10 PM

Re: Trusted Syetem and Password policies

Shalom,

As I remember /etc/default/security was only effective when I went trusted with my systems.

The SAM settings are different. I took my security settings off ITRC forums, modified them and left them in place.

Note that trusted system has been deprecatedand replaced with a new product on 11.31

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
SANTOSH S. MHASKAR
Trusted Contributor

‎07-08-2007 11:39 PM

‎07-08-2007 11:39 PM

Re: Trusted Syetem and Password policies

Hi Bill,

u r correct, the last 5 lines means rules for password.

NUMBER_OF_LOGINS_ALLOWED=1 would create some problems, but I just want to test if it si working,
and I found it not working.

Is there problem with /etc/default/security file ?

The users r connecting using ssh .

I want to enable account deactivation on unsuccessful attempts of login and on inactivation of account.


I just want to know if I have to implement this using only SAM ?

Hi Steve,

thanks for info,

If SAM settings r different then if I set
both(/etc/default/security also),
the system will take which setting?

-Santosh
0 Kudos
Reply
Basheer_2
Trusted Contributor

‎07-09-2007 07:32 AM

‎07-09-2007 07:32 AM

Re: Trusted Syetem and Password policies

Hi Santosh,

We all manage policies using SAM. Just lot easier.
0 Kudos
Reply
SANTOSH S. MHASKAR
Trusted Contributor

‎07-09-2007 05:29 PM

‎07-09-2007 05:29 PM

Re: Trusted Syetem and Password policies

Thanks Basheer,

But is it OK to exist /etc/default/security file if one is managing all policies
with SAM. Or does SAM overrides /etc/default/security ?


-Santosh Mhaskar
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.