HP-UX 11i Version 1.6 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

141

142

143

144

145

146

147

148

149

150

Other Functionality

Shadow Passwords

Chapter 8

147

Shadow Passwords

A new Shadow Password feature enhances system security by hiding user encrypted

passwords in a shadow password file.

Summary of Change

The HP-UX 11i v1.6 release introduces an optional, configurable Shadow Password

feature based on the de-facto standard provided in other UNIX flavors, including Sun

Solaris and Linux. Encrypted passwords previously stored in the publicly readable

/etc/passwd file can be moved to /etc/shadow, which is accessible only by a privileged

user. For HP-UX 11i v1.6, Shadow Passwords are not supported with NIS, NIS+, or

LDAP.

Details of Change

Shadow Passwords are optionally configured. The pwconv command can be run to move

encrypted passwords and password aging information from /etc/passwd to

/etc/shadow. Afterwards, pwunconv can be run to convert back to a standard system.

Shadow Passwords are important for system security. Increasing computational power

available to password crackers has made the non-hidden passwords in /etc/passwd

vulnerable to decryption. Also, since Shadow Passwords make HP-UX compliant with

the de-facto standard, it simplifies the administration of multi-vendor configurations.

Impact

No impact if pwconv is not used on a standard system to convert the system to use

Shadow Passwords.

Compatibility

The behavior of this command on a Trusted System is not changed. When run on a

standard system, pwconv now converts the system to use Shadow Passwords. Previously,

when run on a standard system, this command just printed a message saying that it was

only for use on Trusted Systems.

In HP-UX 11i v1.6, Shadow Passwords are not supported with NIS, NIS+, or LDAP. Do

not run pwconv on these configurations.

An application could be impacted if pwconv is used to convert the system to use Shadow

Passwords, and if the application uses the getpwent interfaces or directly accesses the

password field of /etc/passwd file with the assumption that the password and aging

information reside there. That field can now contain a ‘x’, indicating that the information

is in /etc/shadow, which is accessible only by privileged users.

IPF applications are not affected if they use the preferred pam interfaces for

authentication. PA-RISC applications (e.g. CDE) require patches to the PA-RISC

libraries that support the shadow functionality. These patches, once they are made

available, can be identified by their patch numbers:

PHCO_26965

PHCO_26966