HPE Community
Operating System - HP-UX
1851025 Members
2501 Online
104056 Solutions
New Discussion

u_pwd entry in tcb files

 
SOLVED
Go to solution
Shankar_6
Regular Advisor

‎03-14-2007 07:28 AM

‎03-14-2007 07:28 AM

u_pwd entry in tcb files

Hi,

I have couple of question regarding tcb files(hpux trusted systems)

1.u_pwd entry for default accounts (bin,daemon,sys,adm,uucp and nuucp)is ":u_pwd=*:\".What does it indicates? It means that above accounts or locked/deactivated?.However they have entries like "u_lock@:chkent:".Please clarify

2.If "u_restrict" value doesnt exist in individual users tcb file will it take the value from default tcb file?

3."u_pwdepth" doesnt exists in default and individual users tcb file.How to determine the number of previous passwords that cannot be used when changing a password in this case..?

Points will be allotted.

Waiting for reply

Shankar

0 Kudos
Reply
7 REPLIES 7
A. Clay Stephenson
Acclaimed Contributor

‎03-14-2007 07:48 AM

‎03-14-2007 07:48 AM

Solution

Re: u_pwd entry in tcb files

1) u_pwd=* means that the password hash for this user is literally "*" -- an impossible hash and the account is effectively locked.

2) Yes, in fact that is the general case. The values in /tcb/files/auth/system/default take effect when there is no overriding value in a user's file.


3) Look in /etc/default/security for the value of PASSWORD_HISTORY_DEPTH.
If it ain't broke, I can fix that.
Reply
Sundar_7
Honored Contributor

‎03-14-2007 07:49 AM

‎03-14-2007 07:49 AM

Re: u_pwd entry in tcb files

Shankar,

/tcb/files/auth/system/default contains the default values. If none specified for the user, the default values will be used.

/etc/default/security file can be used to set the password history depth.

Refer man page of security. The variable to set is PASSWORD_HISTORY_DEPTH.

Sundar.
Learn What to do ,How to do and more importantly When to do ?
Reply
Sundar_7
Honored Contributor

‎03-14-2007 07:50 AM

‎03-14-2007 07:50 AM

Re: u_pwd entry in tcb files

hmm didn't mean to duplicate :-). Clay just outtyped me
Learn What to do ,How to do and more importantly When to do ?
Reply
Shankar_6
Regular Advisor

‎03-14-2007 08:15 AM

‎03-14-2007 08:15 AM

Re: u_pwd entry in tcb files

Hi Sundar/Clay,

Thanks you very much for your quick reply.

Could u please clarify regarding pwd query..?I couldnt understand the comments..is the passwd set is "*" for the default users or the users are locked?Also calrify what does entry "u_lock@:chkent:" indicates..?

no /etc/default/security file exists in the server.But still i couldnt use my previous password.Are there any other file that is blocking to use the old password..? please clarify

Points will be allotted.

Waiting for reply.

Shankar.
0 Kudos
Reply
Sundar_7
Honored Contributor

‎03-14-2007 08:24 AM

‎03-14-2007 08:24 AM

Re: u_pwd entry in tcb files

Shankar,

Yes, that means there is no password assigned to the user and there is an administrative lock on the account.

Refer the man page of prpwd. This has the description of all the fields.

Even though there is no /etc/default/security file, there is a default password history depth setting that is used ( I believe 3).

# /usr/lbin/getprdef

Will give you the system wide settings.

Sundar.
Learn What to do ,How to do and more importantly When to do ?
Reply
Shankar_6
Regular Advisor

‎03-14-2007 09:16 AM

‎03-14-2007 09:16 AM

Re: u_pwd entry in tcb files

Hi Sundar,

Thank you very much for your reply.

getprdef gives the beloe output.

./getprdef -m
bootpw=NO, mintm=1, maxpwln=8, exptm=70, lftm=1000, llog=0, expwarn=14, usrpick=YES, syspnpw=NO, rstrpw=YES, nullpw=NO, syschpw=NO, sysltpw=NO, umaxlntr=3, tmaxlntr=10, dlylntr=2, lntmout=0

From the above which variable indicates the password depth..? and need to know the use of usrpick=YES..?

Points will be alotted.

Waiting for reply.

Shankar.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-14-2007 09:49 AM

‎03-14-2007 09:49 AM

Re: u_pwd entry in tcb files

To be precise, the password is not set to '*' but rather the password hash is set to '*'.

Let's suppose that your current plaintext passwd is "secret" and the stored passwd hash is "12FJgqDtVOg7Q". All passwords are hashed using the crypt() function (except for those hashed with the bigcrypt() function but that's another story.). The first 2 characters of the hash are the "salt" which perturbs the hashing algorithm. When a plaintext is entered upon login, the plaintext password and the salt are passwd to the crypt() function and if the output matches the stored hash, the login is valid. All valid stored password hashes are exactly 13 characters long (except for those hashed with bigcrypt) regardless of the length of the plaintext password. Because the stored hash is a '*', it represents a hash that will never match. Any other non-13 character hash would have the same effect.

In a non-trusted system setting the hash to '*' was the convention for locking an account but the trusted system allows you to
administratively lock an account but leave the password hash valid.

You can display these values and the lockout conditions using the getprpw command. Man getprpw, modprpw for details.
If it ain't broke, I can fix that.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.