Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 4 HP-UX Standard Mode Security Extensions

Security Attributes and the User Database


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Previously, in standard mode, all HP-UX security attributes and password policy restrictions were set on a systemwide basis. The introduction of the user database enables you to set security attributes on a per-user basis, which override systemwide defaults.

System Security Attributes

A security attribute defines how to control security configurations, such as passwords, logins, and auditing. The security attributes description file, /etc/security.dsc, lists the attributes that can be defined either in /etc/default/security, in the user database in /var/adm/userdb, or in both files. Some attributes are configurable and some are internal.

CAUTION: Do not modify the /etc/security.dsc file in any way.

When a user logs in, the system checks for applicable security attributes in the following order:

  1. The system examines per-user attributes in the following locations:

    • /var/adm/userdb

    • /etc/passwd

    • /etc/shadow

      NOTE: For each per-use attribute, a value is stored in one of the three files above. Refer to security(4) to see which attributes are stored in each file.
  2. If there is no per-user value, then the system examines the configured systemwide attributes in /etc/default/security.

  3. If there are no configured systemwide attributes, then the system uses the default attributes in /etc/security.dsc.

Configuring Systemwide Attributes

To configure systemwide attributes, follow these steps:

  1. Plan your configuration using available resources. Refer to security(4) for information about configuring systemwide attributes.

  2. To change a systemwide default, edit the /etc/default/security file with a text editor such as vi. Comments begin with a pound sign (#). Attributes are written in attribute=value format.

    For example, to set the systemwide minimum number of uppercase characters in a password to two (2), enter the following values into /etc/default/security:

NOTE: Changes to systemwide security attributes do not take effect immediately. Password attributes take effect the next time users change their passwords. Login attributes take effect the next time users log in.

User Database Components

The user database feature of HP-UX SMSE includes files, commands, manpages, and per-user attributes you can apply to specific users on your HP-UX system. All these elements of the user database are described in the following sections.

Configuration Files

Table 4-1 briefly describes the files you use with the user database.

Table 4-1 User Database Configuration Files



/var/adm/userdbStores most per-user information.



Table 4-2 briefly describes the commands you can use to modify and administer entries in the user database.

Table 4-2 User Database Commands



userdbsetChanges attribute values configured in the user database.
userdbgetDisplays attribute values configured in the user database.
userdbckVerifies the integrity of the information in the user database.
userstatReports the status of local user accounts.



The following security attributes are available for individual users:

Table 4-3 User Attributes




Allows or denies login with a null password.

AUDIT_FLAGAudits or stops auditing the user.
AUTH_MAXTRIESDefines the number of login failures allowed before a user is locked out of the system.
DISPLAY_LAST_LOGINDisplays information about the user's last login.
LOGIN_TIMESRestricts login time periods.
MIN_PASSWORD_LENGTHDefines the minimum password length.
NUMBER_OF_LOGINS_ALLOWEDDefines the number of simultaneous logins allowed per user.
PASSWORD_HISTORY_DEPTHDefines the password history depth.
PASSWORD_MIN_LOWER_CASE_CHARSDefines the minimum number of lowercase characters required in a password.
PASSWORD_MIN_UPPER_CASE_CHARSDefines the minimum number of uppercase characters required in a password.
PASSWORD_MIN_DIGIT_CHARSDefines the minimum number of digit characters required in a password.
PASSWORD_MIN_SPECIAL_CHARSDefines the minimum number of special characters required in a password.
UMASKDefines the umask for file creation.


NOTE: The previous list contains only security attributes that can be configured in the user database. For a complete list of HP-UX system security attributes, refer to security(4).


Table 4-4 briefly describes the manpages you use with the user database.

Table 4-4 User Database Manpages




Provides an overview of the use of the user database.


Describes userdbset functionality and syntax.


Describes userdbget functionality and syntax.


Describes userdbck functionality and syntax.


Describes the userstat functionality and syntax.


Configuring Attributes in the User Database

In previous HP-UX systems, security attributes and password policy restrictions were set a systemwide basis. With HP-UX SMSE, you can configure some security attributes on a per-user basis. Attributes configured per-user override systemwide configured attributes.

To modify a user's attribute values, follow these steps:

  1. Decide which users to modify and which attributes will apply to them.

    For example, you want user joe to be able to log in to the system only from 8am to 5pm on Mondays.

  2. Change the attributes using the userdbset command as follows:

    # userdbset -u user-name attribute-name=attribute-value

    For example, to specify that user joe can log in to the system only from 8am to 5pm, enter:

    # userdbset -u joe LOGIN_TIMES=Mo0800-1700

Troubleshooting the User Database

Use the following procedures to troubleshoot the user database.

Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured in the user database, run the following command:

# userdbget -u username

The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute. Refer to “Configuring Attributes in the User Database” for instructions.

Problem 2: The user database is not functioning properly. If you need to check the user database, run the following command:

# userdbck

The userdbck command identifies and repairs problems in the user database.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.