- ABORT_LOGIN_ON_MISSING_HOMEDIR
This parameter controls login behavior if a user's home directory
does not exist. Note that this is only enforced for non-root
users and only applies to the
login(1)
command or those services that indirectly invoke
login(1)
such as the
telnetd(1M)
and
rlogind(1M)
commands.
- ABORT_LOGIN_ON_MISSING_HOMEDIR=0
Login with '/' as the home directory if the user's home directory
does not exist.
- ABORT_LOGIN_ON_MISSING_HOMEDIR=1
Exit the login session if the user's home directory does not exist.
Default value:
ABORT_LOGIN_ON_MISSING_HOMEDIR=0
- BOOT_AUTH
This parameter controls whether authentication
is required to boot the system into single user mode.
If enabled, the system cannot be booted into
single user mode until the password of an authorized user
is provided.
This parameter does not apply to trusted systems.
However, if boot authentication is enabled on a
standard system, then when the system is converted to a
trusted system, boot authentication will also be enabled
as default for the trusted system.
- BOOT_AUTH=0
Boot authentication is turned OFF.
- BOOT_AUTH=1
Boot authentication is turned ON.
Default value:
BOOT_AUTH=0
- BOOT_USERS
This parameter defines the names of users who are
authorized to boot the system into single user
mode from the console. Names are separated by a comma
(,).
It only takes effect when boot authentication
is enabled. Refer to the description of the
BOOT_AUTH
parameter.
The
BOOT_USERS
parameter does not apply to trusted systems.
However, when a standard system is converted to
a trusted system, this information is translated.
- BOOT_USERS=mary,jack
Other than the root user, user
mary
or
jack
can also boot the system into single user mode from
the console.
Default value:
BOOT_USERS=root
- MIN_PASSWORD_LENGTH
This parameter controls the minimum length of new passwords.
It is not applicable to the root user on an untrusted system.
- MIN_PASSWORD_LENGTH=N
New passwords must contain at least
N
characters.
For untrusted systems,
N
can be any value from 6 to 8.
For trusted systems,
N
can be any value from 6 to 80.
Default value:
MIN_PASSWORD_LENGTH=6
- NOLOGIN
This parameter controls whether non-root login
can be disabled by the
/etc/nologin
file.
Note that this parameter only applies to the
applications that use session management services provided by
pam_hpsec(5)
as configured in
/etc/pam.conf,
or those services that indirectly invoke
login(1)
such as the
telnetd(1M)
and
rlogind(1M)
commands. Other services may or may not choose to enforce the
/etc/nologin
file.
- NOLOGIN=0
Ignore the
/etc/nologin
file and do not
exit if the
/etc/nologin
file exists.
- NOLOGIN=1
Display the contents of the
/etc/nologin
file and exit if the
/etc/nologin
file exists.
Default value:
NOLOGIN=0
- NUMBER_OF_LOGINS_ALLOWED
This parameter controls the number of simultaneous logins
allowed per user. Note that this is only enforced for non-root
users and only applies to the
applications that use session management services provided by
pam_hpsec(5)
as configured in
/etc/pam.conf,
or those services that indirectly invoke
login(1),
such as the
telnetd(1M)
and
rlogind(1M)
commands.
- NUMBER_OF_LOGINS_ALLOWED=0
Any number of logins are allowed per user.
- NUMBER_OF_LOGINS_ALLOWED=N
N
number of logins are allowed per user.
Default value:
NUMBER_OF_LOGINS_ALLOWED=0
- PASSWORD_HISTORY_DEPTH
This parameter controls the password history
depth. A new password is checked only against
the number of most recently used passwords
stored in password history for a particular user.
A user is not allowed to re-use a previously used
password.
- PASSWORD_HISTORY_DEPTH=N
A new password is checked against only the
N
most recently used passwords for a particular user.
A configuration of password history depth of 2
prevents users from alternating between two passwords.
The maximum password history depth supported is 10
and the minimum password history depth supported is 1.
A depth configuration of more than 10 will be treated
as 10, and a depth configuration of less than 1 will
be treated as 1.
The password history depth configuration is on a
system basis and is supported in trusted system
for users in files repository only. This feature
does not support the users in
NIS
or
NISPLUS
repositories. Once the feature is enabled, all
the users on the system are subject to the same
check. If this parameter is not configured, the
password history check feature is automatically
disabled. When the feature is disabled, the
password history check depth is set to 1.
A password change is subject to all of the other
rules for a new password including a check with
the current password.
Default value:
PASSWORD_HISTORY_DEPTH=1
- PASSWORD_MIN_<type>_CHARS
Parameters of this form are used to require new passwords to have
a minimum number of characters of particular types (upper case,
lower case, digits or special characters).
This can be helpful in enforcing site security policies about
selecting passwords that are not easy to guess.
- PASSWORD_MIN_UPPER_CASE_CHARS=N
Specifies that a minimum of
N
upper-case characters are required in a password when changed.
- PASSWORD_MIN_LOWER_CASE_CHARS=N
Specifies that a minimum of
N
lower-case characters are required in a password when changed.
- PASSWORD_MIN_DIGIT_CHARS=N
Specifies that a minimum of
N
digit characters are required in a password when changed.
- PASSWORD_MIN_SPECIAL_CHARS=N
Specifies that a minimum of
N
special characters are required in a password when changed.
Default value: The default for each of these parameters is zero.
- PASSWORD_MAXDAYS
This parameter controls the default maximum number of
days that passwords are valid. This value, if specified,
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the given user. The value takes effect after
the password change.
This parameter applies only to local users and does
not apply to trusted systems.
The
passwd -x
option can be used to override this value for a specific user.
- PASSWORD_MAXDAYS=N
A new password is valid for up to
N
days, after which the password must be changed.
Default value:
PASSWORD_MAXDAYS=-1
(password aging is turned off)
- PASSWORD_MINDAYS
This parameter controls the default minimum number of
days before a password can be changed. This value
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the user. The value is stored persistently
and takes effect after the password change.
This parameter
applies only to local users and does not apply to
Trusted Systems. The
passwd -n
option can be used to override this value for a specific user.
- PASSWORD_MINDAYS=N
A new password cannot be changed
until at least
N
days since it was last changed.
Default value:
PASSWORD_MINDAYS=0
- PASSWORD_WARNDAYS
This parameter controls the default number of days
before password expiration that a user is to be warned
that the password must be changed. This value, if specified,
is used by the authentication subsystem during the password
change process in the case where aging restrictions do not
already exist for the given user. The value takes effect after
the password change.
This parameter
applies only to local users on Shadow Password systems.
The
passwd -w
option can be used to override this value for a specific user.
- PASSWORD_WARNDAYS=N
Users are warned
N
days before their password expires.
Default value:
PASSWORD_WARNDAYS=0
(no warning)
- SU_DEFAULT_PATH
This parameter defines a new default
PATH
environment value to be set when
su
to a non-superuser account is done.
Refer to
su(1).
- SU_DEFAULT_PATH=new_PATH
The
PATH
environment variable is set to
new_PATH
when the
su
command is invoked.
The path value is not validated.
This parameter does not apply to a superuser account, and is
applicable only when the "-" option is not used with the
su
command.
Default value: If this parameter is not defined or
if it is commented out,
PATH
is not changed.
- SU_KEEP_ENV_VARS
This parameter forces
su
to propagate certain 'unsafe' environment variables to its child
process despite the security risk of doing so.
Refer to
su(1).
By default,
su
does not export the environment variables
HOME,
ENV,
IFS,
SHLIB_PATH
or
LD_*
because they could be maliciously misused.
Any combination of these can be specified in this entry,
with a comma separating the variables.
Currently, no other environment variables may be specified in
this way.
This may change in future HP-UX releases as security needs
require.
SU_KEEP_ENV_VARS=var1,var2
,...,varN
Default value: If this parameter is not defined or
if it is commented out, none of these environment variables
will be propagated by the
su
command.
- SU_ROOT_GROUP
This parameter defines the root group name for the
su
command.
Refer to
su(1).
- SU_ROOT_GROUP=group_name
The root group name is set to the specified
symbolic group name. The
su
command enforces the restriction that a non-superuser
must be a member of the specified root group to be allowed to
su
to root.
This does not alter password checking.
Default value: If this parameter is not defined or
if it is commented out, there is no default value.
In this case, a non-superuser is allowed to
su
to root without being bound by root group restrictions.
- UMASK
This parameter controls
umask(2)
of all sessions initiated via
pam_unix(5)
and/or
pam_hpsec(5).
It accepts values from 0 to 0777 as an unsigned octal
integer (leading zero can be omitted).
- UMASK=default_umask
The
umask
is set or restricted further with the value of
default_umask.
For trusted systems, the
umask
is also restricted so as not to exceed
SEC_DEFAULT_MODE
defined in
/usr/include/hpsecurity.h.
Default value:
UMASK=0
Printable version
