Shadow Password Bundle
Home Up Who is running SUID NIS+ and Trusted Sys AAA Server Intro NIS+ Passwd Tbl umask NIS+ Support Kerberos Install Kerberos Config Boot Authenticator Shadow Password Bundle

 

 


2.4.1 Shadow Passwords
 
HP-UX 11i Security, by Chris Wong, Prentice Hall PTR; ISBN: 0130330620

 

If you are running HP-UX 11i or higher, you can install the Shadow Password bundle.  This can be found at http://software.hp.com .

This bundle will replace the encrypted passwords with an "x" in the /etc/passwd file.  The encrypted passwords are moved to the /etc/shadow file.  This is like Linux systems.

After the bundle has been installed, run the pwconv command to move the encrypted passwords.  You can move them back by using the pwunconv command.  More information can be found in the man page "shadow".

You can only use shadow passwords if you are using /etc/passwd and/or LDAP.  The shadow passwords is not supported with NIS/NIS+.   You cannot run this if you are running a full trusted system (see book section 2.5).  If you no longer want to run a trusted system you can run "tsconvert -r" to return to a non-trusted system and then install the Shadow Passwords bundle and run pwconv.

There are 3 new options found in the /etc/default/security file if you are using the Shadow Password bundle.  These are highlighted below (from the man security page):

PASSWORD_MAXDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default maximum number of days
that passwords are valid. This parameter applies only
to local users and does not apply to trusted systems.

The passwd -x option can be used to override this value
for a specific user.

PASSWORD_MAXDAYS=N A new password is valid for up to
N days, after which the password must be changed.

Default value: PASSWORD_MAXDAYS=-1 password aging is
turned off.

PASSWORD_MINDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default minimum number of days
before a password can be changed. This parameter
applies only to local users and does not apply to
trusted systems. The passwd -n option can be used to
override this value for a specific user.

PASSWORD_MINDAYS=N A new password cannot be changed
until at least N days since it was last changed.

Default value: PASSWORD_MINDAYS=0

PASSWORD_WARNDAYS
If the ShadowPassword bundle is installed, this
parameter controls the default number of days before
password expiration that a user is to be warned that
the password must be changed. This parameter applies
only to local users on Shadow Password systems. The
passwd -w option can be used to override this value for
a specific user.

PASSWORD_WARNDAYS=N Users are warned N days before
their password expires.

Default value: PASSWORD_WARNDAYS=0 (no warning)



 

    

 Copyright © 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.