The password is the most
important individual user identification symbol. With it, the system
authenticates a user to allow access to the system. Because they are
vulnerable to compromise when used, stored, or known, passwords must
be kept secret at all times.
Also see Chapter 2 for password information.
Security Administrator's Responsibilities
The security administrator and every user on the
system must share responsibility for password security. The security
administrator performs the following security tasks:
Generates temporary passwords
for new users. This password must be used for first login. When this
number has been verified, the new user is prompted for a new password.
Maintains proper permissions
on all system files, including the standard password file, /etc/passwd, and the trusted database files, /tcb/files/auth/*.
Establishes password aging.
Deletes or nullifies expired
passwords, user IDs, and passwords of users no longer eligible to
access the system.
Every user must observe the following rules:
Remember the password and
keep it secret at all times.
Change the initial password
immediately; thereafter, change the password regularly.
Report any changes in status
and any suspected security violations.
Make sure no one is watching
when you enter the password.
Choose a different password
for each machine on which you have an account.
A trusted system maintains multiple password files:
the /etc/passwd file and the files in the protected
password database /tcb/files/auth/ (see “The /tcb/files/auth/ Database”). Each user has an entry in two files, and login looks at both entries to authenticate login requests.
All passwords are encrypted immediately after entry
and stored in /tcb/files/auth/user-char/user-name, the user's
protected password database file. Only the encrypted password is used
Do not permit any empty (null) password fields
in either password file. On trusted systems, the password field in /etc/passwd is ignored. A user with an empty password
will be forced to set a password upon login on a trusted system. However,
even this leaves a potential for a security breach, anyone logging
in to this account is required to set the password.
Do not edit the password files directly. Use HP
SMH, useradd, userdel, or usermod to modify password file entries.
A trusted system uses the /etc/passwd file to identify a user at login time. The file contains an entry
for every account on the HP-UX system. Each entry consists of seven
fields, separated by colons. A typical entry for /etc/passwd in a trusted system looks like this:
robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh
The fields contain the following information (listed
in order), separated by colons:
User (login) name, consisting
of up to 8 characters. (In the example, robin)
Unused password field, held
by an asterisk instead of an actual password. (*)
User ID, an integer ranging
from 0 to MAXINT-1, equal
to 2,147,483,646 or 231 -2. (102)
Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. (99)
Comment field, used to identify
such information as the user's full name, location, and phone
numbers. For historic reasons, this is also called the gecos field. (Robin Hood,Rm 3,x9876,408-555-1234)
Home directory, the user's
initial login directory. (/home/robin)
Login program path name,
executed when the user logs in. (/usr/bin/sh)
The user can change the comment field (fifth field)
with the chfn command and the login program path
name (seventh field) with the chsh command. The
system administrator sets the remaining fields. The user ID should
be unique. For more information, see chfn(1), chsh(1), passwd(1), and passwd(4). The user can change the password in the protected
password database with passwd.
The /tcb/files/auth/ Database
When a system is converted to a trusted system,
the encrypted password, normally held in the second field of /etc/passwd, is moved to the protected password database,
and an asterisk holds its place in the /etc/passwd file.
Protected password database files are stored in
the /tcb/files/auth/ hierarchy. User authentication
profiles are stored in these directories based on the first letter
of the user account name. For example, the authentication profile
for user david is stored in the file /tcb/files/auth/d/david.
On trusted systems, key security elements are held
in the protected password database, accessible only to superusers.
Use HP SMH to set password data entries. Password data that is not
set for a user will default to the system defaults stored in the file /tcb/files/auth/system/default.
The protected password database contains many authentication
entries for the user. See prpwd(4) for more information on these
entries, which include the following:
Boot authentication to allow
specified users to boot the system; see security(4).
Audit ID and audit flag
for the user (whether audit is on or not)
Minimum time between password
Password expiration time,
after which the password must be changed
Password lifetime, after
which the account is locked
Time of last successful
and unsuccessful password changes
Absolute time (date) when
the account will expire
Maximum time allowed between
logins before the account is locked
Number of days before expiration
when a warning will appear
Whether passwords are user-generated
Password triviality check
to prevent common words or well-known terms from being used as passwords
Type of system-generated
User ID of last person to
change password, if not the account owner
Time periods when this account
can be used for login
Identification of terminal
or remote hosts associated with the last successful and unsuccessful
logins to this account
Number of unsuccessful login
attempts; cleared upon successful login
Maximum number of login
attempts allowed before account is locked
Password Selection and Generation
On trusted systems, the following password generation
options are available:
A password screening option is available to check
for the use of login and group names, login and group name permutations,
A new password must differ from the old password
by at least 3 characters.
using a combination of letters only.
using a combination of letters, numbers, and punctuation characters.
using pronounceable meaningless syllables.
You can set password generation options for a system.
Alternately, you can set password generation options on a per-user
basis, overriding the system default.
You must set at least one password generation option
for each user. If more than one option is available to a user, a password
generation menu is displayed when the user changes the password.
You can enable or disable password aging for each
user. When password aging is enabled, the system maintains the following
for the password:
- Minimum time
The minimum time required
between password changes. This prevents a user from changing the password
and then changing it back immediately to avoid memorizing a new one.
- Expiration time
A time after which a user
must change that password at login.
- Warning time
The time before expiration
when a warning will be issued.
The time at which the account
associated with the password is locked if the password is not changed.
Once an account is locked, only the system administrator can unlock
it. Once unlocked, the password must still be changed before the user
can log into the account.
The expiration time and lifetime values are reset
when a password is changed. A lifetime of zero specifies no password
aging; in this case, the other password aging times have no effect.
Password History and Password Reuse
You can enable the password history feature on
a systemwide basis to discourage users from reusing previous passwords.
You enable the password reuse check by defining
the PASSWORD_HISTORY_DEPTH attribute
in the /etc/default/security file:
where n is an integer
specifying the number of previous passwords to check.
When a user changes the password, the new password
is checked against the previous n passwords,
starting with the current password. If the system finds a match, it
rejects the new password. An n of 2 prevents users from alternating between two passwords.
For more information, see passwd(1) and security(4).
Time-Based Access Control
On trusted systems, you can specify times-of-day
and days-of-week that are allowed for login for each user. When a
user attempts to log in outside the allowed access time, the event
is logged (if auditing is enabled for login failures and successes)
and the login is terminated. A superuser can log in outside the allowed
access time, but the event is logged. The permitted range of access
times is stored in the protected password database for users and can
be set with HP SMH. Users that are logged in when a range ends are
not logged out.
Device-Based Access Control
For each MUX port and dedicated DTC port on a trusted
system, you can specify a list of users allowed for access. When the
list is null for a device, all users are allowed access.
The device access information is stored in the device
assignment database, /tcb/files/devassign, which
contains an entry for each terminal device on the trusted system.
A field in the entry lists the users allowed on the device.
Terminal login information on a trusted system
is stored in the terminal control database, /tcb/files/ttys, which provides the following data for each terminal:
User ID of the last user
to successfully log into the terminal
Last successful login time
to the terminal
Last unsuccessful login
time to the terminal
Number of consecutive unsuccessful
logins before terminal is locked
Only superusers can access these trusted system
databases and can set the entries using HP SMH. See devassign(4) and ttys(4).
Manipulating the Trusted System Databases
Use the library routines described in the following
manpages to access information in the password files and in other
trusted system databases:
Manipulates device entries
Manipulates system defaults
Gets password entries from /tcb/files/auth/
Manipulates terminal control
Gets password entries from /etc/passwd
Writes password file entries
Gets password entries from /tcb/files/auth/ (provided for backward compatibility)
Writes password entries
to /tcb/files/auth/ (provided for backward compatibility)
Writes password file entries