HPE Community
Operating System - HP-UX
1753336 Members
5036 Online
108792 Solutions
New Discussion юеВ

/etc/default/security file

 
SOLVED
Go to solution
Achille Costabile
Advisor

тАО10-12-2005 09:56 AM

тАО10-12-2005 09:56 AM

/etc/default/security file

Hi,

I have 3 HP-UX 11.11 servers, which I need to implement minimum password length and password history. I know these parameters are controlled by the /etc/default/security file. From what I've read I need patch PHCO_27694, which I have installed.

I created an /etc/default/security file with the following parameters:
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=10

The problem is, I can still create users with passwords with less than 8 characters, or reuse old passwords, when changing them.

Can someone please advise what needs to be done for this file to take affect. Does the sever need a reboot or seomthing?

Thanks
Achille
0 Kudos
Reply
10 REPLIES 10
Rick Garland
Honored Contributor

тАО10-12-2005 10:10 AM

тАО10-12-2005 10:10 AM

Re: /etc/default/security file

What are the perms?

rw-r--r root sys security

The contents of mine;

SU_ROOT_GROUP=wheel
PASSWORD_MAXDAYS=5
PASSWORD_MINDAYS=1
PASSWORD_MIN_SPECIAL_CHARS=1
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=2
MIN_PASSWORD_LENGTH=9

This is a 11.11 system

0 Kudos
Reply
saju_2
Respected Contributor

тАО10-12-2005 10:18 AM

тАО10-12-2005 10:18 AM

Re: /etc/default/security file

Hi achille

I put an entry in the security file MIN_PASSWORD_LENGTH=8. Then i tried to change the password for a user

nambisaj@xxx:/home/nambisaj > passwd nambisaj
Changing password for nambisaj
Old password:
New password:
Password too short - must be at least 8 characters
New password:
Password too short - must be at least 8 characters
New password:
Password too short - must be at least 8 characters
Too many failures - try later.

Then I removed the entry MIN_PASSWORD_LENGTH=8 from the file and tried to change the password. I gave a password of 4 characters

nambisaj@xxx:/home/nambisaj > passwd nambisaj
Changing password for nambisaj
Old password:
New password:
Password too short - must be at least 6 characters
New password:
Password too short - must be at least 6 characters
New password:
Password too short - must be at least 6 characters
Too many failures - try later.

Now it is asking for min 6 characters whereas earlier it was asking for 8 characters. For me it is working. So i don't thing any change or reboot is required.

check the spelling of the file u created and the entries u put.

Also from teh man page of security it says "This file must be world readable and root writable" Pls check this also.

Regards
CS


0 Kudos
Reply
Rick Garland
Honored Contributor

тАО10-12-2005 10:23 AM

тАО10-12-2005 10:23 AM

Re: /etc/default/security file

By default, the minimum passwd length is 6 characters.

Check to see if any non-printing characters are in the file.

cat -v
0 Kudos
Reply
Achille Costabile
Advisor

тАО10-12-2005 11:07 AM

тАО10-12-2005 11:07 AM

Re: /etc/default/security file

Thanks for the replies, however, I think it has to do with patch levels of some sort. For on HP-UX 11.11 (not truested) it does not work. For another, which is truested, it does not work, and for the third which is truested, it works OK. very confusing :)
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО10-12-2005 02:52 PM

тАО10-12-2005 02:52 PM

Re: /etc/default/security file

did you check the contents of (on a trusted system of course):

/tcb/files/auth/system/default

yet ?
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-12-2005 03:29 PM

тАО10-12-2005 03:29 PM

Solution

Re: /etc/default/security file

The vast majority of /etc/default/security features are silently ignored on standard systems. You'll need a Trusted system for password history (there's no place to store old passwords on a non-Trusted system). Read the comments in the man page for security.


Bill Hassell, sysadmin
Reply
Ranjith_5
Honored Contributor

тАО10-12-2005 04:18 PM

тАО10-12-2005 04:18 PM

Re: /etc/default/security file

Hi,

As bill pointed out just above your problem could be because of your non trusted system.many of the security settings shown below in the /etc/default/security file will only be effective if the system is TRUSTED.

PASSWORD_HISTORY_DEPTH=
SU_ROOT_GROUP=
ABORT_LOGIN_ON_MISSING_HOMEDIR=
MIN_PASSWORD_LENGTH=
PASSWORD_MIN_UPPER_CASE_CHARS=
PASSWORD_MIN_LOWER_CASE_CHARS=
PASSWORD_MIN_DIGIT_CHARS=
PASSWORD_MIN_SPECIAL_CHARS=
UMASK=
PASSWORD_MAXDAYS=
PASSWORD_MINDAYS=
PASSWORD_WARNDAYS=

Hope the following doc will help you to know more about trusted system features and administration.

http://docs.hp.com/en/B2355-90121/index.html

Regards,
Syam
Reply
SteveKnapp
Senior Member

тАО12-09-2019 01:54 PM

тАО12-09-2019 01:54 PM

Re: /etc/default/security file

As of 2019,  most of this has been outdated for about 10 years, as I understand. Instead of using "Trusted System" mode, the current recommendation to use /etc/shadow by using the LongPassword11i3 features (currently included in the HP-UX 11i Base Operating Environment Component Bundle).

Refer to these posts from 2010: https://community.hpe.com/t5/Security/How-does-one-enable-long-password-on-HP-UX-11-31/m-p/6365595#M19407 and https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=LongPassword11i3.

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-09-2019 08:29 PM - edited тАО12-09-2019 08:54 PM

тАО12-09-2019 08:29 PM - edited тАО12-09-2019 08:54 PM

Re: /etc/default/security file

Although a few folks at HP (HPE) recommended shadow password security a few years ago, my opinion is that Trusted Systems are more capable than shadow. There is no need to change to shadow. 

Current versions of HP-UX implements 4 different security methods:

1. standard (/etc/passwd only)
2. Trusted (used by HP and IBM)
3. shadow password (optional, 11.11 and higher)
4. security extensions (11.23 and higher)

Starting with 10.20, migration of the security interface began moving towards PAM (Pluggable Authentication Modules) and was complete by 11.11. PAM hides the underlying authentication methods and exists across many flavors of Unix but since it is new, old code still ignores the enhancements.

Trusted (IMHO) offers a lot more advantages (and security) than a simple shadow password file. But so much old code was based on simple password and simple shadow files that users complained about HP's Trusted systems. Not that the Trusted system wasn't good, but that old code had to be updated.

HP created shadow password capability starting at 11.11 but with a number of limitations.
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword


So HP (starting with 11.23) created the enhanced security product: 
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

So the choice is to use Trusted for all systems or perhaps look towards the security extension in 11.23 and higher. The choice depends on your applications. A well written application will use PAM (if authentication is contained within the application) in which case, compatibility is quite easy.

One caution: 
Not documented anywhere, but the security file directives such as MIN_PASSWORD_LENGTH= must *NOT* have any trailing comments like this:

MIN_PASSWORD_LENGTH=9  # new requirement from IT security

The trailing # turns the entire line into a comment so it has no effect.



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.