unix security

breigner · November 25, 2003, 3:55pm

Was wondering if anyone could answer two quick questions... 1) What is the best way to impliment password triviality checking and also checking to make sure a user does not use the same password twice. 2) is there any nice software out there to manage users on multiple machine as far as security and accounts. Both questions are for HP UX

Thanks
Brian

norsk_hedensk · November 25, 2003, 10:55pm

try a search on freshmeat.net. i found this, though it may not be exaclty what you want, something you do want should be there.

damn a network security related post and its not in my forum i never get to moderate!

cbkihong · November 26, 2003, 3:34am

Try "John the Ripper" (http://www.openwall.com/john/\)

Kelam_Magnus · December 29, 2003, 2:34pm

On HPUX, actually if you do a man on "security"... you can create a file called /etc/default/security and edit it with the parameters you desire in the manpage ...

it shows how you can implement passwd depth security and passwd length security as well as minimum length...

PASSWORD_HISTORY_DEPTH=N A new password is checked
against only the N most recently used passwords for a
particular user.

                 A configuration of password history depth of 2 prevents
                 users from alternating between two passwords.  The
                 maximum password history depth supported is 10 and the
                 minimum password history depth supported is 1.  A depth
                 configuration of more than 10 will be treated as 10,
                 and a depth configuration of less than 1 will be
                 treated as 1.

denisJ · January 6, 2004, 4:08pm

i don't know the answer for the second question but for the first it's in base configuration if you trust your system by the parameter passwd_history

fpmurphy · January 13, 2004, 2:03am

Re part 2 of your question ...

NIS or NIS+ can handle user authentication and
accounts.

F

kduffin · January 13, 2004, 8:22am

Are you running you HPUX systems in Trusted mode? (just curious)

NIS+ would work, but I've tended to steer away from Yellow Page systems in favor of Secure LDAP for centralized user administration. You can couple both with Kerberos for an even tighter rein. If you use sudo (or RBAC), you can also integrate rights management with LDAP - something that lends itself to a nice automated firecall system.

As for password policies etc. There are (and always will be) numerous debates on how much is too much. If you make it too complicated, you are bound to have users writing their passwords down (and placing them under their keyboards).

Cheers,

Keith