Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
801802803804805806807808809810
Administering a System: Managing System Security
Managing Trusted Passwords and System Access
Chapter 8 803
Password Files
A Trusted System maintains multiple password files: the /etc/passwd
file and the files in the protected password database /tcb/files/auth/
(see “The /tcb/files/auth/ Database” on page 804). Each user has an entry
in two files, and login looks at both entries to authenticate login
requests.
If NIS+ is configured, this process is more complex; see “Network
Information Service Plus (NIS+)” on page 839.
All passwords are encrypted immediately after entry, and stored in
/tcb/files/auth/
user-char
/
user-name
, the user’s protected
password database file. Only the encrypted password is used in
comparisons.
Do not permit any empty/null password fields in either password file. On
Trusted Systems, the password field in /etc/passwd is ignored. A user
with an empty password will be forced to set a password upon login on a
Trusted System. However, even this leaves a potential for security
breach, because any user can set the password for that account before a
password is set for the first time.
Do not edit the password files directly. Use SAM, useradd, userdel, or
usermod to modify password file entries.
HP-UX generates these mapping files to provide faster access to the
password files:
/tcb/files/auth/system/pw_id_map
/tcb/files/auth/system/gr_id_map
/tcb/files/auth/system/aid_id_map
It is possible for these mapping files to get out of sync with the password
database files, resulting in users being unable to login. In this case,
remove the mapping files. The system will automatically regenerate new
mapping files.
The /etc/passwd File
The /etc/passwd file is used to identify a user at login time for a
Trusted System. The file contains an entry for every account on the
HP-UX system. Each entry consists of seven fields, separated by colons.
A typical entry for /etc/passwd in a Trusted System looks like this:
robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh