HPE Community
Operating System - HP-UX
1834549 Members
3343 Online
110069 Solutions
New Discussion

Re: Where do I set password options?

 
SOLVED
Go to solution
Michael Campbell
Trusted Contributor

‎07-26-2002 05:01 AM

‎07-26-2002 05:01 AM

Where do I set password options?

Hi

Our HP-UX 11 server is not a trusted system. It does however insist that passwords differ by at least 3 positions. Where are all these options set( dictionary check, length of password, complexity of password, password history, etc,)?

Any help appreciated

Michael
0 Kudos
Reply
15 REPLIES 15
Tom Geudens
Honored Contributor

‎07-26-2002 05:08 AM

‎07-26-2002 05:08 AM

Re: Where do I set password options?

Hi,
You use SAM for this :
SAM
-> Auditing and Security
-> System Security Policies

Regards,
Tom
A life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎07-26-2002 05:09 AM

‎07-26-2002 05:09 AM

Re: Where do I set password options?

Hello,

In sam go to Auditing and Security --> System Security Policies, and there is 4 categories of security policies; Password aging, Password format, general User Account Policies and Terminal Security Policies.

Alternatively, you can set them on a by-user basis by going into Accounts for Users and Groups --> Users, selecting the user and under actions and set these policies for the account only.

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-26-2002 05:10 AM

‎07-26-2002 05:10 AM

Re: Where do I set password options?

Hi Michael,

man passwd(1) contains info on password requirements for non-trusted systems, including the 'differ by at least 2 positions' requirement.

Other options are set in /etc/default/security, eg password history. Again this info is in man passwd(1) for password history. I believe there is a man page for security, but only at 11i.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Michael Campbell
Trusted Contributor

‎07-26-2002 05:11 AM

‎07-26-2002 05:11 AM

Re: Where do I set password options?

Tom

I don't have access to this option without converting to a trusted system. Is there another way of setting this up?

Regards

Michael
0 Kudos
Reply
Tom Geudens
Honored Contributor

‎07-26-2002 05:13 AM

‎07-26-2002 05:13 AM

Re: Where do I set password options?

Hi again Michael,
Sorry ... I missed the "trusted" part. The 3 position difference is "default" (see manpage of passwd, there are several other defaults). In other to change those you'll have to go "trusted".

Sorry again,
Tom
A life ? Cool ! Where can I download one of those from ?
Reply
Cheryl Griffin
Honored Contributor

‎07-26-2002 05:13 AM

‎07-26-2002 05:13 AM

Re: Where do I set password options?

This is a hardcoded requirement, not a configurable policy.

# man passwd
Look under Requirements

* A new password must differ from the old one by at least three characters (one character in a trusted system). For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are treated as identical.

Cheryl
"Downtime is a Crime."
Reply
Michael Campbell
Trusted Contributor

‎07-26-2002 05:16 AM

‎07-26-2002 05:16 AM

Re: Where do I set password options?

Thanks folks

I guess i'll just have to convert to trusted.

Regards

Michael
0 Kudos
Reply
Hai Nguyen_1
Honored Contributor

‎07-26-2002 05:16 AM

‎07-26-2002 05:16 AM

Re: Where do I set password options?

Michael,

You actually need to turn your system to trusted mode to be able to implement such features as minimum password length, minimum password depth, minimum password character types... And these features can't be turned on using SAM. You have to create a file named /etc/default/security and edit it.

For more info on password length, password depth..., you can search the forum since there have been many good posts on these.

Hai
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-26-2002 05:30 AM

‎07-26-2002 05:30 AM

Re: Where do I set password options?

Hi Michael,

Yes, trusted is probably the way forward if you wish to have access to this kind of functionality.

fyi - there is a man page for security(4) on http://docs.hp.com it's in volume 8 of the 11i manuals and covers some of your requirements.

If you are interested in using the dictionary check, please be aware that the standard dictionary does not contain any words with non-alpha characters. As a password must have a non-alpha character this means that you'll need to generate your own dictionary complete with these hybrid words.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Michael Campbell
Trusted Contributor

‎07-26-2002 06:48 AM

‎07-26-2002 06:48 AM

Re: Where do I set password options?

Folks

I've just realised that I can't convert to a trusted system because that would require each user to have a password. The way that our system works now is that a user logs in with the userid but are not asked for a password. They then go staight into the application which has it's own internal security and they never have shell access.
Does anyone know a way around this without having to give each user a password?
Also, what are my options for resticting passwords on a non-trusted system apart from the standard aging in SAM?

Regards

Michael
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-26-2002 07:31 AM

‎07-26-2002 07:31 AM

Re: Where do I set password options?

Hi Michael,

I'm a little confused :) You don't want to have user passwords, but you wish to know how to change options on them? Can you perhaps rephrase your latest question and let us know what you're aiming to achieve :)

>options for resticting passwords on a non-trusted system apart from the standard aging in SAM?
As I mentioned earlier, /etc/default/security is the file that allows you to make these types of changes.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Michael Campbell
Trusted Contributor

‎07-29-2002 06:20 AM

‎07-29-2002 06:20 AM

Re: Where do I set password options?

Darren

There are two types of user on our system:
1) Application users: These users go straight into the application and do not have shell access. These users do not need an OS level password.

2) Non-Application users: Users with normal shell access. These users do require a password and we would like to put some more restrictions on this.

Regards

Michael

p.s. I do not have an /etc/default/security file, is this something I will have to create?, what format is it in?, do you have an example?
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-29-2002 06:50 AM

‎07-29-2002 06:50 AM

Re: Where do I set password options?

Hi Michael,

Thanks for clarifying your situation. My feeling is that you should trust your system, and allow null passwords for your application users. This can be set in SAM from Actions ->Modify User's Security Policies when you've selected a user.

This will allow you to restrict your non-app users whilst allowing your app to provide the required authentication.

Otherwise you could stay with your current setup and use the security file mentioned previously. With the extra information you've given me I'd say the 1st option is best! If you want to know more about the security file, it's plain ASCII and must have permissions as documented in the man page. Don't forget you can also use this file with trusted systems too.

Here's a very basic example:
# passwords must now be at least 8 chars long. This is the greatest min value possible for a non-trusted system
MIN_PASSWORD_LENGTH=8
# stop people alternating between 2 passwords
PASSWORD_HISTORY_DEPTH=2

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Michael Campbell
Trusted Contributor

‎07-29-2002 07:24 AM

‎07-29-2002 07:24 AM

Re: Where do I set password options?

Darren

Thanks for that.
If I trust the system and allow null passwords, will the user be asked for a password or does it log straight in after the username is entered as is the case now? i.e. will the end-user know the difference?

Regards

Michael
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-29-2002 08:00 AM

‎07-29-2002 08:00 AM

Solution

Re: Where do I set password options?

Hi Michael,

Here's what happens when you login as a user with a null password:

HP-UX hpwing23 B.11.00 A 9000/806 (td)

login: guesty
Last successful login for guesty: Mon Jul 29 17:06:01 GMT0BST 2002 on pts/td
Last unsuccessful login for guesty: Mon Jul 29 17:03:09 GMT0BST 2002 on pts/tc
Please wait...checking for disk quotas
(c)Copyright 1983-1997 Hewlett-Packard Co., All Rights Reserved.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.


ie you're not asked for a password. Here's another user on the same system who DOES have a password:

HP-UX hpwing23 B.11.00 A 9000/806 (tc)

login: darrenp
Password:
Last successful login for darrenp: Mon Jul 29 17:09:26 GMT0BST 2002 on pts/tc
Last unsuccessful login for darrenp: NEVER
Please wait...checking for disk quotas
(c)Copyright 1983-1997 Hewlett-Packard Co., All Rights Reserved.
HP-UX hpwing23 B.11.00 A 9000/806 (tc)

And if one of your non-app users tries to set their password to null:

[darrenp@hpwing23] passwd
Changing password for darrenp
Old password:
Last successful password change for darrenp: NEVER
Last unsuccessful password change for darrenp: NEVER

Do you want (choose one letter only):
pronounceable passwords generated for you (g)
a string of letters generated (l) ?
to pick your passwords (p) ?

Enter choice here: p
New password:
You are not allowed to have a null password.
New password:


Hope this example shows you the answers you're looking for :)

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.