Using Password History without being a Trusted System

Mark VineGar · ‎09-25-2002

Is there a way in HP-UX 11x to use password history so users cannot change their password to a the last 3 or 4 previous passwords? I know this can be done if you HP is converted to trusted, but is there a way to do this without being a trusted system?

Thanks
Mark

Live Long And Prosper

James R. Ferguson · ‎09-25-2002

Hi Mark:

Sorry, the password history feature is available only for trusted systems. See the "security features" of the man page for 'passwd(1)'.

Regards!

...JRF...

Roger Baptiste · ‎09-25-2002

Hi,

I am not sure whether this can be done on a nontrusted system. But, you can do password aging on a non-trusted system by inserting special characters after the passwd entry in the passwd file. This is specified in the man page of passwd. eg:The characters used to represent "digits" are . for 0, / for 1, 0
through 9 for 2 through 11, A through Z for 12 through 37, and a
through z for 38 through 63.

Password aging is put in effect for a particular user if his encrypted
password in the password file is followed by a comma and a nonnull
string of characters from the above alphabet. (Such a string must be
introduced in the first instance by a superuser.) This string defines
the "age" needed to implement password aging.

The first character of the age, M, denotes the maximum number of weeks
for which a password is valid. A user who attempts to login after his
password has expired is forced to supply a new one. The next
character, m, denotes the minimum period in weeks that must expire
before the password can be changed. The remaining characters define
the week (counted from the beginning of 1970) when the password was
last changed (a null string is equivalent to zero). M and m have
numerical values in the range 0 through 63 that correspond to the 64-

**
Also, have a look at SAM and the user section to check whether it has the options. Normally, SAM is a good clue to see what options the system provides in these sort of cases.

HTH
raj

Take it easy.

Tom Maloy · ‎09-25-2002

Check out "man security".

In /etc/default/security, you can set

PASSWORD_HISTORY_DEPTH=9

Allowed values are 1 to 10.

Tom

Carpe diem!

Telia BackOffice · ‎09-25-2002

look at :
man 4 security

the thing you are looing for is :
PASSWORD_HISTORY_DEPTH
This parameter controls the password history depth. A new password is checked only against the number of most recently used passwords stored in password history for a particular user. A user is not allowed to reuse a previously used password.

BR,
Jannik

Darren Prior · ‎09-25-2002

Sorry Mark,

Although security(4) discusses this feature, it is not valid unless the system is trusted. See passwd(1) for info.

There's quite a few threads discussing the benefits and problems of trusted systems to help you decide whether you should change your system to trusted.

regards,

Darren.

Calm down. It's only ones and zeros...

Joaquin Gil de Vergara · ‎09-25-2002

note that /eyc/security exists only in HP-UX 11i (not in 11.0) and the PASSWORD_HISTORY_DEPTH is only supported in a trusted system!

The password history depth configuration is on a system
basis and is supported in trusted system for users in
files repository only. This feature does not support
the users in NIS or NISPLUS repositories. Once the
feature is enabled, all the users on the system are
subject to the same check. If this parameter is not
configured, the password history check feature is
automatically disabled. When the feature is disabled,
the password history check depth is set to 1.

Teach is the best way to learn

Shannon Petry · ‎09-25-2002

Well the beauty of Unix is that there are many ways to skin the proverbial cat ;)

This being said, you can be creative and try the following steps on a non-production box.

1. Write a script which will replace the binary program "passwd".
The script needs to do the following.
a. set and create a file with the encrypted string for any user.
b. adjust this file size to trim the top line from itself when the max history has been reached.
c. call the real passwd file that would be replaced with something like passwd.bin
d. before closing log the new encrypted string from /etc/passwd to the history file.
2. rename the real passwd binary to whatever you will call in your script.
3. rename your script as passwd, and set exact permissions and owner ship to it as the real passwd file.

PROBLEMS: Of course there are lots of them that could occur, but there is a way to see if a program is called interactively or not. perhaps build in a safety and fall through the script if it is not an interactive call.
Obviously this will not work with yppasswd, or any other program of that type.

Dont know if it would work as I never tried, however I have replace many other binaries on systems with my own scripts for many different reasons.

Regards,
Shannon

Microsoft. When do you want a virus today?

Shannon Petry · ‎09-25-2002

Forgot to add an important item to "d" in the script functionality list.
d. should not only add the string to passwd, but first check to see if it already exists. If it exists then warn the user, and loop back to your passwd again. Once the user enters a password that does not generate the same salted string fall through that loop.

Shannon

Microsoft. When do you want a virus today?

Darren Prior · ‎09-25-2002

Shannon,

Great cat skinning ;-) , but I believe that a plaintext password could encrypt to different encrypted strings due to the salt. This might make it tricky to compare the encrypted strings.

regards,

Darren.

Calm down. It's only ones and zeros...

Mark VineGar · ‎09-25-2002

Thanks everyone for all the input. It appears that the answer is NO unless we convert to Trusted or write script as Shannon suggest.

Mark

Live Long And Prosper

Shannon Petry · ‎09-25-2002

Yeah, for the bit more complex then use perl as you can work with the unslated plain text password and let perl crypt it for you!

Use an unsalted crypt to store the passwords and make the comparison that way!

To the experienced programmer I dont think this would be too much work. Im not fluent in perl past simple web forms and tidy scripts so cant offer any pointers for a script like this in perl.

Regards,
Shannon

Microsoft. When do you want a virus today?

Darrell Allen · ‎09-25-2002

Hi all,

I believe you will find that if the salt and the plaintext password are always the same, the encrypted password will always be the same as well. That's my experience. Further, it will be the same whether on HP-UX, Solaris, or AIX since it's a UNIX thing.

Try playing around with the following (where "password" is to be crypted using "Y7" as the salt):
echo passwordY7 | /usr/lbin/makekey

I think you'll always get Y7mVtdV.zWazc as the result.

That being the case, your password history checking script would need to get the salt from each encrypted password in the history list, use each of those salts to encrypt the new password, and compare each result to those in the list.

To truly emulate passwd you need to randomly select the salt. man makekey for more info.

In the end, I'd rather just convert to a trusted system than to mess around with passwd.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Deshpande Prashant · ‎09-25-2002

HI Mark
Converting system to trusted will be better and easy wayt to achive password history option. Is there any reason you are avoiding using trusted systems?

You can use the "PASSWORD_HISTORY_DEPTH" parameter on 11.x systems.

Thanks.
Prashant.

Take it as it comes.

doug hosking · ‎09-26-2002

Joaquin wrote:
"note that /eyc/security exists only in HP-UX 11i (not in 11.0) and the PASSWORD_HISTORY_DEPTH is only supported in a trusted system!"

Actually, the original reason for the creation of /etc/default/security was to support the addition of this history feature in 11.00. While the original version of 11.00 did not support the history feature, patches PHCO_13808 and PHCO_13809 added support for it (and the /etc/default/security file) in 11.00. Joaquin is correct that this feature is currently supported only on trusted system configurations of HP-UX.

Joaquin Gil de Vergara · ‎09-26-2002

ok

thank uoy for the correction :-)

Teach is the best way to learn

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Using Password History without being a Trusted System

Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System

Re: Using Password History without being a Trusted System