Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
HP-UX Shadow Passwords
Chapter 8 837
HP-UX Shadow Passwords
Increasing computational power available to password crackers has
made the nonhidden passwords in the /etc/passwd file vulnerable to
decryption. Shadow passwords enhance system security by hiding user
encrypted passwords in a shadow password file. Encrypted passwords
previously stored in the publicly readable /etc/passwd file can be
optionally moved to the /etc/shadow file, which is accessible only by a
privileged user.
Beginning with HP-UX 11i v2, the HP-UX Shadow Passwords feature is
delivered with the operating system. For earlier versions of HP-UX 11i,
you can download the product from the HP Software Depot,
http://software.hp.com.
Features and Benefits
HP-UX Shadow Passwords provide the following features and benefits:
Security Shadow passwords are important for system security. Since shadow
passwords are not accessible to unprivileged users, they are less
vulnerable to decryption.
Configurability After the Shadow Password product has been installed, the pwconv (1M)
command can be run to enable shadow passwords, and the pwunconv
(1M) command can be run to disable shadow passwords.
Compatibility When shadow passwords are enabled, applications can be affected if they
directly access the password field of /etc/passwd, with the assumption
that password and aging information reside there. That field will now
contain an “x”, indicating that the information is in /etc/shadow.
When shadow passwords are not enabled, there is no impact to
application programs. Applications are not affected if they use the
preferred PAM interfaces to authenticate.
Standards
Conformance
HP-UX Shadow Passwords is based on the de facto standard provided in
other UNIX versions, including Sun Solaris and Linux.