HPE Community
Operating System - HP-UX
1825691 Members
3383 Online
109686 Solutions
New Discussion

Re: Trusted System Passwords

 
Barry Mayfield
New Member

‎05-12-2006 05:22 AM

‎05-12-2006 05:22 AM

Trusted System Passwords

We're using an HP 9000 box running HPUX 11.0. We recently trusted our system.

We've got password requirements of a minimum of 8 characters, at least one of those being a digit, and at least one of those being a special character. (Ex: xfgdye1!)

What we have happening is users are creating a password longer than eight characters... using a digit and a special character as ninth and tenth characters for example... and once the password is set they are then able to log in to our system using only the eight characters. They have basically circumvented the digit and special character requirement.

We've fiddled with all we know how and can't come up with a fix to prevent folks from getting around the use of a digit and special character... and users are spreading the news.

Ideas?
0 Kudos
Reply
7 REPLIES 7
Chan 007
Honored Contributor

‎05-12-2006 05:48 AM

‎05-12-2006 05:48 AM

Re: Trusted System Passwords

Hi,

This link is really worth

http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=212256

Chan
0 Kudos
Reply
Greg Vaidman
Respected Contributor

‎05-12-2006 06:27 AM

‎05-12-2006 06:27 AM

Re: Trusted System Passwords

Barry,

This is not normal behavior. On my 11i trusted system, when I enter a password of >8 characters, all the characters are required to log in.

1. Check your /etc/default/security file. Maybe some weird option in there?

2. Make sure you have all trusted system patches. Go to http://www1.itrc.hp.com/service/patch/search.do?BC=main|&pageOsid=hpux and search for the exact phrase "trusted system"
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎05-12-2006 08:25 AM

‎05-12-2006 08:25 AM

Re: Trusted System Passwords

Barry,

Can you check what the Maximum password lenght is:
/usr/lbin/getprdef -m maxpwln
With modprdef you can chang the value.

/usr/lbin/getprdef -r [-m option],option] [-b] [-p] [-t]
OPTIONS
-r raw display of the protected database field values
-m display the value of the option given. If -m is not specified,
all protected database fields will be displayed.
-b display password defaults
-p display time defaults
-t display login defaults
Boolean values are returned as YES, NO, or DFT (default).
A value of -1 indicates that the field is undefined.
The following values will be displayed or can be selected
using the -m option:

maxpwln maximum password length allowed

Goodluck

Darrel
0 Kudos
Reply
Barry Mayfield
New Member

‎05-12-2006 08:57 AM

‎05-12-2006 08:57 AM

Re: Trusted System Passwords

Greg:
We're actually in the middle of assessing our current patch status and prepping for any updates we need. We'll definitely be looking at this to make sure we're covered as far as the trusting goes.

Thanks.

Darrel:
We're currently set at 16 maximum.

We use software that makes use of a telnet connection to our host (HPUX box). I currently have assigned myself a 16 character password but am logging in pretty as you please using only the first eight. Heh, heh.

Thanks folks for the help and other things to look at.
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎05-12-2006 09:01 AM

‎05-12-2006 09:01 AM

Re: Trusted System Passwords

Barry,

What's the patch level of your server, I'll test test it on one of the hp-ux 11.00 server.
What's the Openssh version you're using?

Darrel
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎05-12-2006 09:27 AM

‎05-12-2006 09:27 AM

Re: Trusted System Passwords

Barry,

To check the consistency of your /etc/passwd and trusted system password database, use the command:
/usr/sbin/authck

Darrel
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-12-2006 01:34 PM

‎05-12-2006 01:34 PM

Re: Trusted System Passwords

When did you create your long passwords -- before or after trusted conversion? An untrusted system will (incorrectly IMHO) let you enter 10, 20 30 or more characters for a password and then will accept anything past the first 8 characters. In other words, the untrusted system silently truncates all passwords to 8. When you converted, only those 8 came across as 8 and if the users use just 8, they will work fine. Add a 9th character to a login password attempt and it should fail because every character is used in a Trusted system.

To prove this, create a new password now that the system is Trusted. Make it 9 or 10 or 16, whatever. Then try a login with just the first 8. If the first 8 work OK, I would be very concerned about patches. Note that 11.0 is going out of support this year.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.