Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Appendix A Trusted Systems

Managing Trusted Passwords and System Access
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Because they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times.

Also see Chapter 2 for password information.

Security Administrator's Responsibilities

The security administrator and every user on the system must share responsibility for password security. The security administrator performs the following security tasks:

  • Generates temporary passwords for new users. This password must be used for first login. When this number has been verified, the new user is prompted for a new password.

  • Maintains proper permissions on all system files, including the standard password file, /etc/passwd, and the trusted database files, /tcb/files/auth/*.

  • Establishes password aging.

  • Manages password reuse.

  • Deletes or nullifies expired passwords, user IDs, and passwords of users no longer eligible to access the system.

User's Responsibilities

Every user must observe the following rules:

  • Remember the password and keep it secret at all times.

  • Change the initial password immediately; thereafter, change the password regularly.

  • Report any changes in status and any suspected security violations.

  • Make sure no one is watching when you enter the password.

  • Choose a different password for each machine on which you have an account.

Password Files

A trusted system maintains multiple password files: the /etc/passwd file and the files in the protected password database /tcb/files/auth/ (see “The /tcb/files/auth/ Database”). Each user has an entry in two files, and login looks at both entries to authenticate login requests.

All passwords are encrypted immediately after entry and stored in /tcb/files/auth/user-char/user-name, the user's protected password database file. Only the encrypted password is used in comparisons.

Do not permit any empty (null) password fields in either password file. On trusted systems, the password field in /etc/passwd is ignored. A user with an empty password will be forced to set a password upon login on a trusted system. However, even this leaves a potential for a security breach, anyone logging in to this account is required to set the password.

Do not edit the password files directly. Use HP SMH, useradd, userdel, or usermod to modify password file entries.

The /etc/passwd File

A trusted system uses the /etc/passwd file to identify a user at login time. The file contains an entry for every account on the HP-UX system. Each entry consists of seven fields, separated by colons. A typical entry for /etc/passwd in a trusted system looks like this:

robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh

The fields contain the following information (listed in order), separated by colons:

  1. User (login) name, consisting of up to 8 characters. (In the example, robin)

  2. Unused password field, held by an asterisk instead of an actual password. (*)

  3. User ID, an integer ranging from 0 to MAXINT-1, equal to 2,147,483,646 or 231 -2. (102)

  4. Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. (99)

  5. Comment field, used to identify such information as the user's full name, location, and phone numbers. For historic reasons, this is also called the gecos field. (Robin Hood,Rm 3,x9876,408-555-1234)

  6. Home directory, the user's initial login directory. (/home/robin)

  7. Login program path name, executed when the user logs in. (/usr/bin/sh)

The user can change the comment field (fifth field) with the chfn command and the login program path name (seventh field) with the chsh command. The system administrator sets the remaining fields. The user ID should be unique. For more information, see chfn(1), chsh(1), passwd(1), and passwd(4). The user can change the password in the protected password database with passwd.

The /tcb/files/auth/ Database

When a system is converted to a trusted system, the encrypted password, normally held in the second field of /etc/passwd, is moved to the protected password database, and an asterisk holds its place in the /etc/passwd file.

Protected password database files are stored in the /tcb/files/auth/ hierarchy. User authentication profiles are stored in these directories based on the first letter of the user account name. For example, the authentication profile for user david is stored in the file /tcb/files/auth/d/david.

On trusted systems, key security elements are held in the protected password database, accessible only to superusers. Use HP SMH to set password data entries. Password data that is not set for a user will default to the system defaults stored in the file /tcb/files/auth/system/default.

The protected password database contains many authentication entries for the user. See prpwd(4) for more information on these entries, which include the following:

  • User name and user ID

  • Encrypted password

  • Account owner

  • Boot authentication to allow specified users to boot the system; see security(4).

  • Audit ID and audit flag for the user (whether audit is on or not)

  • Minimum time between password change

  • Password maximum length

  • Password expiration time, after which the password must be changed

  • Password lifetime, after which the account is locked

  • Time of last successful and unsuccessful password changes

  • Absolute time (date) when the account will expire

  • Maximum time allowed between logins before the account is locked

  • Number of days before expiration when a warning will appear

  • Whether passwords are user-generated or system-generated

  • Password triviality check to prevent common words or well-known terms from being used as passwords

  • Type of system-generated passwords

  • Null passwords

  • User ID of last person to change password, if not the account owner

  • Time periods when this account can be used for login

  • Identification of terminal or remote hosts associated with the last successful and unsuccessful logins to this account

  • Number of unsuccessful login attempts; cleared upon successful login

  • Maximum number of login attempts allowed before account is locked

Password Selection and Generation

On trusted systems, the following password generation options are available:

  • User-generated passwords.

    A password screening option is available to check for the use of login and group names, login and group name permutations, and palindromes.

    A new password must differ from the old password by at least 3 characters.

  • System-generated passwords using a combination of letters only.

  • System-generated passwords using a combination of letters, numbers, and punctuation characters.

  • System-generated passwords using pronounceable meaningless syllables.

You can set password generation options for a system. Alternately, you can set password generation options on a per-user basis, overriding the system default.

You must set at least one password generation option for each user. If more than one option is available to a user, a password generation menu is displayed when the user changes the password.

Password Aging

You can enable or disable password aging for each user. When password aging is enabled, the system maintains the following for the password:

Minimum time

The minimum time required between password changes. This prevents a user from changing the password and then changing it back immediately to avoid memorizing a new one.

Expiration time

A time after which a user must change that password at login.

Warning time

The time before expiration when a warning will be issued.

Lifetime

The time at which the account associated with the password is locked if the password is not changed. Once an account is locked, only the system administrator can unlock it. Once unlocked, the password must still be changed before the user can log into the account.

The expiration time and lifetime values are reset when a password is changed. A lifetime of zero specifies no password aging; in this case, the other password aging times have no effect.

Password History and Password Reuse

You can enable the password history feature on a systemwide basis to discourage users from reusing previous passwords.

You enable the password reuse check by defining the PASSWORD_HISTORY_DEPTH attribute in the /etc/default/security file:

PASSWORD_HISTORY_DEPTH=n

where n is an integer specifying the number of previous passwords to check.

When a user changes the password, the new password is checked against the previous n passwords, starting with the current password. If the system finds a match, it rejects the new password. An n of 2 prevents users from alternating between two passwords.

For more information, see passwd(1) and security(4).

Time-Based Access Control

On trusted systems, you can specify times-of-day and days-of-week that are allowed for login for each user. When a user attempts to log in outside the allowed access time, the event is logged (if auditing is enabled for login failures and successes) and the login is terminated. A superuser can log in outside the allowed access time, but the event is logged. The permitted range of access times is stored in the protected password database for users and can be set with HP SMH. Users that are logged in when a range ends are not logged out.

Device-Based Access Control

For each MUX port and dedicated DTC port on a trusted system, you can specify a list of users allowed for access. When the list is null for a device, all users are allowed access.

The device access information is stored in the device assignment database, /tcb/files/devassign, which contains an entry for each terminal device on the trusted system. A field in the entry lists the users allowed on the device.

Terminal login information on a trusted system is stored in the terminal control database, /tcb/files/ttys, which provides the following data for each terminal:

  • Device name

  • User ID of the last user to successfully log into the terminal

  • Last successful login time to the terminal

  • Last unsuccessful login time to the terminal

  • Number of consecutive unsuccessful logins before terminal is locked

  • Terminal lock flag

Only superusers can access these trusted system databases and can set the entries using HP SMH. See devassign(4) and ttys(4).

Manipulating the Trusted System Databases

Use the library routines described in the following manpages to access information in the password files and in other trusted system databases:

getdvagent(3)

Manipulates device entries in /tcb/files/devassign

getprdfent(3)

Manipulates system defaults in /tcb/files/auth/system/default

getprpwent(3)

Gets password entries from /tcb/files/auth/

getprtcent(3)

Manipulates terminal control database, /tcb/files/ttys

getpwent(3C)

Gets password entries from /etc/passwd

putpwent(3C)

Writes password file entries to /etc/passwd

getspwent(3X)

Gets password entries from /tcb/files/auth/ (provided for backward compatibility)

putspwent(3X)

Writes password entries to /tcb/files/auth/ (provided for backward compatibility)

putprpwnam(3)

Writes password file entries to /tcb/files/auth/



Auditing a Trusted System
  		 


Guidelines for Trusted Backup and Recovery  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.