Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP 9000 Computer Systems : Administering Your HP-UX Trusted System > Chapter 2 Installation and Configuration of an HP-UX Trusted System

Setting Up Password Controls
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The password is the most important individual user identification symbol. With it, the system authenticates a user to allow access to the system. Since they are vulnerable to compromise when used, stored, or known, passwords must be kept secret at all times. You and every user on the system must share the responsibility for password security.

This section provides an overview of the tasks required for setting up password controls. For detailed information about users and passwords on UNIX systems, refer to Practical UNIX Security.

To maintain a secure system, you must perform the following security tasks:

  • Generate authorization numbers for the system and new users. To maintain password privacy, SAM generates an authorization number for each new account. This number must be used for first login. Once the number is verified, the new user is prompted for a password. This process shields user passwords even from the system administrator.

  • Maintain proper permissions on the /etc/passwd password file and the / tcb/files/auth/user_initial/username protected password file

  • Establish password aging

  • Delete and nullify expired passwords, user IDs, and passwords of users no longer eligible to access the system

Before Adding Users...

To ensure the maximum security of your users' directories and files, you must perform the following before adding users to a trusted system.

Be sure to add the following line to the system files listed below:

   umask 077

System files:

  • /.profile

  • /etc/profile

  • /etc/.profile

  • /etc/csh.login

  • /etc/d.profile

  • /etc/skel/.profile

  • /etc/skel/.login

  • /etc/skel/.cshrc

  • /usr/newconfig/.profile

  • /usr/newconfig/etc/profile

  • /usr/newconfig/etc/csh.login

If you already added users to the system such as with an update from a previous version, you will have to change the umask in all existing accounts. Be sure also to change the umask for root.

NOTE: This action provides a default permission of u=rwx g=- - - o=- - - on all user files and directories. While this sets the defaults for the most restrictive permissions, some users may have to use chmod on individual files or directories to open the permissions for certain applications.

Setting Up Password and Account Securities Policies

You can set up password and account security policies using SAM:

  1. Run SAM: 

       sam

    The SAM main menu is displayed.

  2. Highlight System Securities Policies. A new screen is displayed that lets you choose from the following options:

    • Password format policies

    • Password aging policies

    • General user account policies

    • Terminal securities policies

Refer to the following sections for how to set up the specific aspects of password and account security.

Setting Up Password Format Policies

You can set system policies for user accounts. The policies you set apply to all users unless you set user-specific policies. Refer also to "Selecting and Generating Passwords" later in this chapter.

To set up password format policies using SAM:

  1. Highlight System Securities Policies.

  2. Highlight Password Format Policies. The Password Format Policies screen is displayed.

  3. Select appropriate options by using the arrow keys to highlight them and pressing Return to toggle the options on or off.

  4. Select one or more of the Password Selection Options to cause the system to generate passwords for your users:

    1. System Generates Pronounceable

    2. System Generates Character

    3. System Generates Letters only

    4. User Specifics

    NOTE: If you select more than one of the above options, users will get to choose which they prefer at login time.

  5. If you toggle User Specifics on, you can select additional options:

    1. Use Restriction Rates

    2. Allow Null Passwords

    NOTE: For trusted systems, you should not allow null passwords. This severely compromises system security.

  6. Select OK.

Setting Up Password Aging Policies

HP-UX lets you select password aging options. The amount of time a user has a particular password on his or her account directly related to the amount of time a penetrator has to guess it. The system maintains a time between password changes, an expiration time, and a lifetime for passwords on the system when password aging is enabled. Refer to "Password Aging" later in this chapter for more information.

If there is a system compromise, you can also choose to expire all user passwords immediately and force users to select new passwords.

To set up password aging policies using SAM:

  1. Highlight System Securities Policies.

  2. Highlight Password Aging Policies. The Password Aging Policies screen is displayed.

  3. Set Password Aging to Enabled. The Enable Password Aging screen is displayed.

  4. Select appropriate options by using the arrow keys to highlight them and typing appropriate options.

  5. Set the Time Between Password Changes (in days). This sets the minimum time a user must have a password to prevent users from changing their passwords and then changing it back again to the old one.

  6. Specify the Password Expiration Time (in days). The expiration time of a password specifies a time after which a user must change the password.

  7. Indicate the Password Warning Time (in days). This is when to start sending warning messages to the user that they will need to change their password soon.

  8. Specify the Password Lifetime (in days). The lifetime specifies the time at which the account associated with that password is locked. Once locked, the password must be changed before the person can log in.

  9. Select OK to accept these values.

Setting Up General User Account Policies

You can set some general policies to help ensure system security on user accounts.

To set up general user account policies using SAM:

  1. Highlight System Securities Policies.

  2. Highlight General User Account Policies . The General User Account Policies screen is displayed.

  3. Select appropriate options by using the arrow keys to highlight them and pressing Return to toggle the options on or off or by typing appropriate values.

  4. Set whether or not to require a user to log in when booting the system in single-user mode.

    NOTE: It is recommended that you require a password when booting to single-user mode to prevent unauthorized users from rebooting the system and performing activities that should be restricted to the system administrator.

    Be sure to remember the password!

  5. Select OK.

Boot Authentication

When setting up a general user account, you must ensure that the user is not authorized to boot in single-user mode. This must be reserved for the system administrator. See "Setting Up General User Account Policies" for instructions. See the System Administration Task manual and the following man pages for more information: default(4), getprpwent(3), and prpwd(4).

NOTE: It is critical that boot authentication be set to root and that the system reboots in single-user mode. When the system reboots, you must ensure that auditing is turned on before bringing the system into multi-user mode.

Setting Up Terminal Securities Policies

This screen allows you to specify login restrictions. By setting these restrictions, you can enforce greater system security.

To set terminal securities policies using SAM:

  1. Highlight System Securities Policies.

  2. Highlight Terminal Securities Policies. The Terminal Securities Policies screen is displayed.

  3. Select appropriate options by using the arrow keys to highlight them and typing appropriate options.

  4. Set the number of allowable unsuccessful login tries (in seconds).

  5. Specify the delay between login tries (in seconds).

  6. Specify the login timeout value (in seconds).

  7. Select OK.

Maintaining the Password Files

A trusted system has two password database files:

  • /etc/passwd password file

  • /tcb/files/auth/user_initial/username protected password file

Each of these files enforces the security policy previously defined in this chapter. Every user has entries in both files and login looks at both entries to authenticate login requests. All passwords are encrypted immediately after entry and stored in /tcb/files/auth/user_initial/ username on a trusted system. The password field in /etc/passwd is ignored.

A user with an empty password is forced to set a password upon login on a trusted system. However, this leaves a potential security breach, because any user who knew about the account could set the password for that account before a password is set for the first time.

NOTE: Do not edit the password files directly, Use SAM, useradd, or usermod to modify password entries.

HP-UX generates these mapping files to provide faster access to the password files: 

   /tcb/files/auth/system/pw_id_map

   /tcb/files/auth/system/gr_id_map

   /tcb/files/auth/system/aid_id_map

It is possible for these mapping files to get out of sync with the password database files, resulting in users unable to log in. In this case, remove the mapping files. The system automatically regenerates new mapping files.

/etc/passwd

The /etc/passwd file is used to authenticate users at login time on standard HP-UX systems. This file contains descriptions of every account on the system. Refer to HP-UX System Administration Tasks and the passwd(1) and passwd(4) man pages in the HP-UX Reference.

/tcb/files/auth/*/*

When a system is converted to a trusted system, the encrypted password, normally held in the second field of /etc/passwd, is moved to the protected password database file, and an asterisk holds its place in the / etc/passwd file.

Protected password database files are stored in /tcb/files/auth hierarchy. User authentication profiles are stored in these directories based on the first letter of the user account name. For example, authentication profile for user dgarcia is stored in the file /tcb/files/auth/d/dgarcia.

The protected password file is an important part of a C2-level trusted system. Key security elements are stored in the protected password database and are accessible only to superusers. You need to set password entries using character mode SAM. Password data not set for a user uses the system defaults stored in the file /tcb/files/auth/system/default.

When you add new user accounts to the system using character mode SAM, user protected password database entries are created as a side effect. SAM ensures that each account has a unique login name. SAM issues a warning message if you try to create an account with an existing UID. SAM ensures that a unique audit ID is assigned for each UID. Refer to HP-UX System Administration Tasks for additional information about adding users to your system and controlling system access.

If adding more than one account for a user, you must be sure that each account has a unique UID, for security reasons. Each login must have a unique UID on a trusted system.

Entries in the Protected Password Database

Each entry in the protected password database corresponds to a single user. Each entry contains the following fields:

  • User name and UID (User ID)

  • Encrypted password

  • Account owner

  • Boot flag (whether or not the user can boot the system to single user mode)

  • Audit ID and auditing flag (whether or not this user is audited)

  • Minimum time between password change (or default)

  • Maximum password length

  • Password expiration interval (after which the password must be changed)

  • Password lifetime (after which the account is locked)

  • Time of last successful password change

  • Time of last unsuccessful password change

  • User ID of last person who changed the password, if not the account owner

  • Password expiration date

  • Maximum time allowed between logins before the account is locked

  • Number of days before expiration when warning will appear

  • Whether or not the user can use the account without a password

  • Whether passwords are user-generated or system-generated

  • Whether triviality checks are performed on user-generated passwords

  • Type of system-generated passwords

  • Times when the user is permitted to log in

  • Time stamp of last successful login

  • Terminal ID (TTY) of last successful login

  • Time stamp of last unsuccessful login

  • Number of unsuccessful logins since the last successful login

  • Maximum number of unsuccessful login attempts allowed

  • Administrative account lock

Refer to prpwd(4) for more information on these entries.

Selecting and Generating Passwords

On trusted systems, the following methods control how passwords are generated:

  • User-generated passwords A password screening option checks user-generated passwords again the dictionary and checks for the use of login names, login name permutations, and repeated characters.

  • System-generated passwords (alphabetic) You can have the system generate passwords using alphabetic characters only.

  • System-generated passwords (alphanumeric) You can have the system generate passwords using alphabetic, numeric, and punctuation characters.

  • System-generated passwords (English phrases) You can have the system generate passwords using alphabetic characters only.

You can set these options for your HP-UX system or for specific users.

Password Aging

You can enable or disable password aging for each user. When password aging is enabled, the system maintains the following for the password:

  • Minimum Time--specifies the minimum time required between password changes.

  • Expiration time--specifies a time after which a user must change the password at login.

  • Warning time--specifies the time before expiration when a warning will be issued to the user.

  • Lifetime--specifies the time at which the account associated with the password is locked if the password is not changed. Once locked, only the system administrator can unlock it. Once unlocked, the password must still be changed before the user can log into the account.

The expiration time and lifetime values are reset when a password is changed. A lifetime of zero specifies no password aging; in this case, the other password aging times have no effect.

Time-Based Access Control

On trusted systems, you can specify times of day and days of week that are allowed for login for each user. This is another mechanism to ensure that the C2-level security is maintained.

When a user attempts to log in outside of the allowable access time, the event is logged (if auditing is enabled for login failures and successes) and the login time is terminated. Administrators with superuser privilege can log in outside the allowable access time, but the event is logged. The access time is stored in the protected password database. You can change the access times using SAM.

Device-Based Access Control

You (the superuser) can also control access to the system using serial devices. For each mux port and dedicated DTC port on a trusted system, you can specify a list of users allowed access. If the list is empty (null) for a device, all users are allowed access.

Device Assignment Database

The device access information is stored in the device assignment database, / tcb/files/auth/devassign, which contains an entry for each device on the trusted system. Each entry in the device assignment database contains the following fields:

  • A list of pathnames for each physical device attached to the system

  • For each device, a device type (login terminal, remote terminal)

  • The external name of the device

  • The list of users who can access the device

You can modify the device assignment database using SAM. Functions provided allow you to administer the relationship between physical devices and pathnames, to assign device types, and to designate which users can use the devices. See devassign(4) for more information.

Terminal Control Database

You can also control access to terminals to enforce even stricter controls. Terminal login information on a trusted system is stored in the terminal control database, /tcb/files/ttys, which provides the following data for each terminal:

  • Device name

  • User ID of the last user to successfully log into the terminal

  • Last successful login time to the terminal

  • Last unsuccessful login time to the terminal

  • Number of consecutive unsuccessful logins before terminal is locked

  • Terminal lock flag

One special login terminal is called the system console. When the kernel is configured during system installation, you need to specify the hardware device to which the system console is attached.

You can access the terminal control database using SAM and set or modify all entries. See ttys(4) for more information.

Manipulating the Trusted System Databases

Table 2-2 “Library Routines for Manipulating Trusted System Databases” lists the library routines you can use to access information in the password files and other trusted system databases. Refer to the HP- UX Reference for details.

Table 2-2 Library Routines for Manipulating Trusted System Databases

RoutineDescription
getpwentGet password entries from /etc/passwd
getprpwent Get password entries from /tcb/files/auth/*/*
getspwentGet password entries from /tcb/files/auth/*/*, provided for backward compatibility
putpwentWrite password file entries to /etc/passwd
putprpwnamWrite password entries to /tcb/files/auth/*/*
putspwentWrite password file entries to old secure password file format provided for non-HP software compatibility. Will not work with protected password database.
getdvagentManipulates device entries in /tcb/files/auth/devassign
getprdfentManipulates system defaults in /tcb/files/auth/system/ default
getprtcentManipulates terminal control database /tcb/files/ttys

 



Auditing Trusted Systems
  		 


Account and Terminal Lock Flags  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.