- ABORT_LOGIN_ON_MISSING_HOMEDIR
This attribute controls login behavior if a user's home directory
does not exist. Note that this is only enforced for non-root
users and only applies to the
login
command or those services that indirectly invoke
login
such as the
telnetd
and
rlogind
commands.
ABORT_LOGIN_ON_MISSING_HOMEDIR=0
Login with '/' as the home directory if the user's home directory
does not exist.
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
Exit the login session if the user's home directory does not exist.
Default value:
ABORT_LOGIN_ON_MISSING_HOMEDIR=0
- ALLOW_NULL_PASSWORD
This attribute determines whether or not users with a null password can login.
It does not apply to trusted systems.
This attribute is supported only for non-root users managed by pam_unix
(described in
pam_unix(5));
this typically includes local and NIS users.
For local users, the system-wide default defined here in
/etc/default/security
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
ALLOW_NULL_PASSWORD=0
Users with a null password cannot login.
ALLOW_NULL_PASSWORD=1
Users with a null password can login.
Default value:
ALLOW_NULL_PASSWORD=1
- AUDIT_FLAG
This attribute controls whether or not users are to be audited.
It does not apply to trusted systems.
This attribute is supported for users in all name server switch
repositories, such as local, NIS and LDAP.
This attribute is enforced in the
pam_hpsec
service module, and requires that the
pam_hpsec
module be configured in
/etc/pam.conf.
See
pam_hpsec(5).
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
For more information about HP-UX auditing, see
audit(5).
AUDIT_FLAG=0
Do not audit.
AUDIT_FLAG=1
Audit.
Default value:
AUDIT_FLAG=1
- AUTH_MAXTRIES
This attribute controls whether an account is locked
after too many consecutive authentication failures.
It does not apply to trusted systems.
This attribute is supported for users in all name server switch
repositories, such as local, NIS and LDAP.
This attribute is enforced in the
pam_hpsec
service module, and requires that the
pam_hpsec
module be configured in
/etc/pam.conf.
See
pam_hpsec(5).
Other PAM service modules in your configuration may enforce
additional restrictions.
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
When an account has been locked due to too many authentication
failures, root can unlock the account by this command:
userdbset -d -u username auth_failures
AUTH_MAXTRIES=0
Any number of authentication retries is allowed.
AUTH_MAXTRIES=N
An account is locked after
N+1
consecutive authentication failures.
N
can be any positive integer.
Default value:
AUTH_MAXTRIES=0
- BOOT_AUTH
This attribute controls whether authentication
is required to boot the system into single user mode.
If enabled, the system cannot be booted into
single user mode until the password of an authorized user
is provided.
This attribute does not apply to trusted systems.
However, if boot authentication is enabled on a
standard system, then when the system is converted to a
trusted system, boot authentication will also be enabled
as default for the trusted system.
BOOT_AUTH=0
Boot authentication is turned OFF.
BOOT_AUTH=1
Boot authentication is turned ON.
Default value:
BOOT_AUTH=0
- BOOT_USERS
This attribute defines the names of users who are
authorized to boot the system into single user
mode from the console. Names are separated by a comma
(,).
It only takes effect when boot authentication
is enabled. Refer to the description of the
BOOT_AUTH
attribute.
The
BOOT_USERS
attribute does not apply to trusted systems.
However, when a standard system is converted to
a trusted system, this information is translated.
For example:
BOOT_USERS=mary,jack
Other than the root user, user
mary
or
jack
can also boot the system into single user mode from
the console.
Default value:
BOOT_USERS=root
- DISPLAY_LAST_LOGIN
This attribute controls whether a successful login
displays the date, time and origin of the last successful login and
the last authentication failure.
Times are displayed using the system's time zone.
See the discussion of time zones in the
Notes
section.
This attribute does not apply to trusted systems.
This attribute is supported for users in all name server switch
repositories, such as local, NIS and LDAP.
This attribute is enforced in the
pam_hpsec
service module, and requires that the
pam_hpsec
module be configured in
/etc/pam.conf.
See
pam_hpsec(5).
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
DISPLAY_LAST_LOGIN=0
Information is not displayed.
DISPLAY_LAST_LOGIN=1
Information is displayed.
Default value:
DISPLAY_LAST_LOGIN=1
- INACTIVITY_MAXDAYS
This attribute controls whether an account is locked if there
have been no logins to the account for a specified time interval.
It does not apply to trusted systems.
This attribute is supported only for non-root users managed by pam_unix
(described in
pam_unix(5));
this typically includes local and NIS users.
In most cases this attribute can be enforced
only as a system-wide default, however,
for local users on a shadow password system,
the system-wide default defined here in
/etc/default/security
may be overridden by defining a per-user value in the
inactivity
field of
/etc/shadow
with either one of these commands:
useradd -f inactive_maxdays
usermod -f inactive_maxdays
When an account has been locked due to this feature,
root can unlock the account by this command:
userdbset -d -u
username
login_time
INACTIVITY_MAXDAYS=0
Inactive accounts are not expired.
INACTIVITY_MAXDAYS=N
Inactive accounts are expired if there have been no logins
to the account for at least
N
days.
N
can be any positive integer.
Default value:
INACTIVITY_MAXDAYS=0
- LOGIN_TIMES
This attribute restricts logins to specific time periods.
Login time restrictions are based on the system's time zone.
See the discussion of time zones in the
Notes
section.
This attribute does not apply to trusted systems.
This attribute is supported for users in all name server switch
repositories, such as local, NIS and LDAP.
This attribute is enforced in the
pam_hpsec
service module, and requires that the
pam_hpsec
module be configured in
/etc/pam.conf.
See
pam_hpsec(5).
Other PAM service modules in your configuration may enforce
additional restrictions.
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
LOGIN_TIMES=timeperiod
An account is locked if the current time is not within the
specified time period.
The
timeperiod
consists of any number of
day and time ranges separated by colons.
A user is allowed to access the system when the login
time is within any of the specified ranges.
The days are specified by the following abbreviations:
Su Mo Tu We Th Fr Sa Wk Any
Where
Wk
is all week days and
Any
is any day of the week.
A time range can be included after the day specification.
A time range is a 24-hour time period,
specified as hours and minutes separated by a hyphen.
Each time must be specified with 4 digits
(HHMM-HHMM).
Leading zeros are required.
This time range indicates the start and end time for the
specified days.
The start time must be less than the end time.
When no time range is specified,
all times within the day(s) are valid.
If the current time is within the range of any of the time
ranges specified for a user, the user is allowed to access the system.
Do not use
0000-0000
as a time range to prevent user access. For example,
Any:Fr0000-0000
cannot be used to disallow
access on Fridays. Instead,
SuMoTuWeThSa
should be used.
See the
EXAMPLES
section.
Default value:
LOGIN_TIMES=Any
Can login any day of the week.
- MIN_PASSWORD_LENGTH
This attribute controls the minimum length of new passwords.
On trusted systems it applies to all users.
On standard systems it applies to non-root local users and to NIS users.
The system-wide default
defined here may be overridden by defining per-user values in
/var/adm/userdb
(described in
userdb(4)).
MIN_PASSWORD_LENGTH=N
New passwords must contain at least
N
characters.
For standard systems,
N
can be any value from 3 to 8.
For trusted systems,
N
can be any value from 6 to 80.
Default value:
MIN_PASSWORD_LENGTH=6
- NOLOGIN
This attribute controls whether non-root login
can be disabled by the
/etc/nologin
file. Note that this attribute only applies to the
applications that use session management services provided by
pam_hpsec
as configured in
/etc/pam.conf,
or those services that indirectly invoke
login
such as the
telnetd
and
rlogind
commands. Other services may or may not choose to enforce the
/etc/nologin
file.
NOLOGIN=0
Ignore the
/etc/nologin
file and do not
exit if the
/etc/nologin
file exists.
NOLOGIN=1
Display the contents of the
/etc/nologin
file and exit if the
/etc/nologin
file exists.
Default value:
NOLOGIN=0
- NUMBER_OF_LOGINS_ALLOWED
This attribute controls the number of simultaneous logins
allowed per user. Note that this is only enforced for non-root
users and only applies to the
applications that use session management services provided by
pam_hpsec
as configured in
/etc/pam.conf,
or those services that indirectly invoke
login,
such as the
telnetd
and
rlogind
commands.
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
NUMBER_OF_LOGINS_ALLOWED=0
Any number of logins are allowed per user.
NUMBER_OF_LOGINS_ALLOWED=N
N
number of logins are allowed per user.
Default value:
NUMBER_OF_LOGINS_ALLOWED=0
- PASSWORD_HISTORY_DEPTH
This attribute controls the password history depth.
A new password is checked against passwords stored
in the user's password history. This prevents the user
from re-using a recently used password.
This attribute applies only to local users.
For a trusted system, the maximum password history
depth is 10 and the minimum is 1.
For a standard system,
the maximum password history depth is 24 and the minimum is 1.
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
PASSWORD_HISTORY_DEPTH=N
A new password is checked against the
N
most recently
used passwords, including the current password.
For example, a password history depth of 2 prevents
a user from alternating between two passwords.
Default value:
PASSWORD_HISTORY_DEPTH=1
Cannot re-use the current password.
- PASSWORD_MIN_type_CHARS
Attributes of this form are used to require new passwords to have
a minimum number of characters of particular types (upper case,
lower case, digits or special characters).
This can be helpful in enforcing site security policies about
selecting passwords that are not easy to guess.
This attribute applies only to non-root local users.
The system-wide default
defined here may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
PASSWORD_MIN_UPPER_CASE_CHARS=N
Specifies that a minimum of
N
upper-case characters are required in a password when changed.
PASSWORD_MIN_LOWER_CASE_CHARS=N
Specifies that a minimum of
N
lower-case characters are required in a password when changed.
PASSWORD_MIN_DIGIT_CHARS=N
Specifies that a minimum of
N
digit characters are required in a password when changed.
PASSWORD_MIN_SPECIAL_CHARS=N
Specifies that a minimum of
N
special characters are required in a password when changed.
Default value: The default for each of these attributes is zero.
- PASSWORD_MAXDAYS
This attribute controls the default maximum number of
days that passwords are valid. This value, if specified,
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the given user. The value takes effect after
the password change.
This attribute applies only to local users and does
not apply to trusted systems.
The
passwd -x
option can be used to override this value for a specific user.
PASSWORD_MAXDAYS=N
A new password is valid for up to
N
days, after which the password must be changed.
N
can be an integer from -1 to 441.
Default value:
PASSWORD_MAXDAYS=-1
password aging is turned off.
- PASSWORD_MINDAYS
This attribute controls the default minimum number of
days before a password can be changed. This value
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the user. The value is stored persistently
and takes effect after the password change.
This attribute
applies only to local users and does not apply to
trusted systems. The
passwd -n
option can be used to override this value for a specific user.
PASSWORD_MINDAYS=N
A new password cannot be changed
until at least
N
days since it was last changed.
N
can be an integer from 0 to 441.
Default value:
PASSWORD_MINDAYS=0
- PASSWORD_WARNDAYS
This attribute controls the default number of days
before password expiration that a user is to be warned
that the password must be changed. This value, if specified,
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the given user. The value takes effect after
the password change.
This attribute
applies only to local users on shadow password systems.
The
passwd -w
option can be used to override this value for a specific user.
PASSWORD_WARNDAYS=N
Users are warned
N
days before their password expires.
N
can be an integer from 0 to 441.
Default value:
PASSWORD_WARNDAYS=0
(no warning)
- SU_DEFAULT_PATH
This attribute defines a new default
PATH
environment value to be set when
su
to a non-superuser account is done.
Refer to
su(1).
SU_DEFAULT_PATH=new_PATH
The
PATH
environment variable is set to
new_PATH
when the
su
command is invoked.
The path value is not validated.
This attribute does not apply to a superuser account, and is
applicable only when the "-" option is not used with the
su
command.
Default value: If this attribute is not defined or
if it is commented out,
PATH
is not changed.
- SU_KEEP_ENV_VARS
This attribute forces
su
to propagate certain 'unsafe' environment variables to its child
process despite the security risk of doing so.
Refer to
su(1).
By default,
su
does not export the environment variables
HOME,
ENV,
IFS,
SHLIB_PATH
or
LD_*
because they could be maliciously misused.
Any combination of these can be specified in this entry,
with a comma separating the variables.
Currently, no other environment variables may be specified in
this way.
This may change in future HP-UX releases as security needs
require.
SU_KEEP_ENV_VARS=var1,var2
,...,varN
Default value: If this attribute is not defined or
if it is commented out, these environment variables
will not be propagated by the
su
command.
- SU_ROOT_GROUP
This attribute defines the root group name for the
su
command.
Refer to
su(1).
SU_ROOT_GROUP=group_name
The root group name is set to the specified
symbolic group name. The
su
command enforces the restriction that a non-superuser
must be a member of the specified root group to be allowed to
su
to root.
This does not alter password checking.
Default value: If this attribute is not defined or
if it is commented out, there is no default value.
In this case, a non superuser is allowed to
su
to root without being bound by root group restrictions.
- UMASK
This attribute controls
umask()
of all sessions initiated via
pam_hpsec.
This attribute is supported for users in all name server switch
repositories, such as local, NIS and LDAP.
This attribute is enforced in the
pam_hpsec
service module, and requires that the
pam_hpsec
module be configured in
/etc/pam.conf.
See
pam_hpsec(5).
It accepts values from 0 to 0777 as an unsigned octal
integer (must have a leading zero to denote octal).
The system-wide default defined here
may be overridden by defining a per-user value in
/var/adm/userdb
(described in
userdb(4)).
UMASK=default_umask
The current
umask
is set or restricted further with the value of
default_umask.
For trusted systems, the
umask
is also restricted so as not to exceed
SEC_DEFAULT_MODE
defined in
/usr/include/hpsecurity.h.
Default value:
UMASK=0
Printable version
