- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- /etc/default/security file
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 09:56 AM
тАО10-12-2005 09:56 AM
I have 3 HP-UX 11.11 servers, which I need to implement minimum password length and password history. I know these parameters are controlled by the /etc/default/security file. From what I've read I need patch PHCO_27694, which I have installed.
I created an /etc/default/security file with the following parameters:
MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=10
The problem is, I can still create users with passwords with less than 8 characters, or reuse old passwords, when changing them.
Can someone please advise what needs to be done for this file to take affect. Does the sever need a reboot or seomthing?
Thanks
Achille
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 10:10 AM
тАО10-12-2005 10:10 AM
Re: /etc/default/security file
rw-r--r root sys security
The contents of mine;
SU_ROOT_GROUP=wheel
PASSWORD_MAXDAYS=5
PASSWORD_MINDAYS=1
PASSWORD_MIN_SPECIAL_CHARS=1
PASSWORD_MIN_UPPER_CASE_CHARS=1
PASSWORD_MIN_DIGIT_CHARS=2
MIN_PASSWORD_LENGTH=9
This is a 11.11 system
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 10:18 AM
тАО10-12-2005 10:18 AM
Re: /etc/default/security file
I put an entry in the security file MIN_PASSWORD_LENGTH=8. Then i tried to change the password for a user
nambisaj@xxx:/home/nambisaj > passwd nambisaj
Changing password for nambisaj
Old password:
New password:
Password too short - must be at least 8 characters
New password:
Password too short - must be at least 8 characters
New password:
Password too short - must be at least 8 characters
Too many failures - try later.
Then I removed the entry MIN_PASSWORD_LENGTH=8 from the file and tried to change the password. I gave a password of 4 characters
nambisaj@xxx:/home/nambisaj > passwd nambisaj
Changing password for nambisaj
Old password:
New password:
Password too short - must be at least 6 characters
New password:
Password too short - must be at least 6 characters
New password:
Password too short - must be at least 6 characters
Too many failures - try later.
Now it is asking for min 6 characters whereas earlier it was asking for 8 characters. For me it is working. So i don't thing any change or reboot is required.
check the spelling of the file u created and the entries u put.
Also from teh man page of security it says "This file must be world readable and root writable" Pls check this also.
Regards
CS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 10:23 AM
тАО10-12-2005 10:23 AM
Re: /etc/default/security file
Check to see if any non-printing characters are in the file.
cat -v
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 11:07 AM
тАО10-12-2005 11:07 AM
Re: /etc/default/security file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 02:52 PM
тАО10-12-2005 02:52 PM
Re: /etc/default/security file
/tcb/files/auth/system/default
yet ?
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 03:29 PM
тАО10-12-2005 03:29 PM
SolutionBill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-12-2005 04:18 PM
тАО10-12-2005 04:18 PM
Re: /etc/default/security file
As bill pointed out just above your problem could be because of your non trusted system.many of the security settings shown below in the /etc/default/security file will only be effective if the system is TRUSTED.
PASSWORD_HISTORY_DEPTH=
SU_ROOT_GROUP=
ABORT_LOGIN_ON_MISSING_HOMEDIR=
MIN_PASSWORD_LENGTH=
PASSWORD_MIN_UPPER_CASE_CHARS=
PASSWORD_MIN_LOWER_CASE_CHARS=
PASSWORD_MIN_DIGIT_CHARS=
PASSWORD_MIN_SPECIAL_CHARS=
UMASK=
PASSWORD_MAXDAYS=
PASSWORD_MINDAYS=
PASSWORD_WARNDAYS=
Hope the following doc will help you to know more about trusted system features and administration.
http://docs.hp.com/en/B2355-90121/index.html
Regards,
Syam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2019 01:54 PM
тАО12-09-2019 01:54 PM
Re: /etc/default/security file
As of 2019, most of this has been outdated for about 10 years, as I understand. Instead of using "Trusted System" mode, the current recommendation to use /etc/shadow by using the LongPassword11i3 features (currently included in the HP-UX 11i Base Operating Environment Component Bundle).
Refer to these posts from 2010: https://community.hpe.com/t5/Security/How-does-one-enable-long-password-on-HP-UX-11-31/m-p/6365595#M19407 and https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=LongPassword11i3.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2019 08:29 PM - edited тАО12-09-2019 08:54 PM
тАО12-09-2019 08:29 PM - edited тАО12-09-2019 08:54 PM
Re: /etc/default/security file
Although a few folks at HP (HPE) recommended shadow password security a few years ago, my opinion is that Trusted Systems are more capable than shadow. There is no need to change to shadow.
Current versions of HP-UX implements 4 different security methods:
1. standard (/etc/passwd only)
2. Trusted (used by HP and IBM)
3. shadow password (optional, 11.11 and higher)
4. security extensions (11.23 and higher)
Starting with 10.20, migration of the security interface began moving towards PAM (Pluggable Authentication Modules) and was complete by 11.11. PAM hides the underlying authentication methods and exists across many flavors of Unix but since it is new, old code still ignores the enhancements.
Trusted (IMHO) offers a lot more advantages (and security) than a simple shadow password file. But so much old code was based on simple password and simple shadow files that users complained about HP's Trusted systems. Not that the Trusted system wasn't good, but that old code had to be updated.
HP created shadow password capability starting at 11.11 but with a number of limitations.
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword
So HP (starting with 11.23) created the enhanced security product:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt
So the choice is to use Trusted for all systems or perhaps look towards the security extension in 11.23 and higher. The choice depends on your applications. A well written application will use PAM (if authentication is contained within the application) in which case, compatibility is quite easy.
One caution:
Not documented anywhere, but the security file directives such as MIN_PASSWORD_LENGTH= must *NOT* have any trailing comments like this:
MIN_PASSWORD_LENGTH=9 # new requirement from IT security
The trailing # turns the entire line into a comment so it has no effect.
Bill Hassell, sysadmin