Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

961

962

963

964

965

966

967

968

969

970

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 969

For HP-UX 11.20 and prior, the system will be converted to trusted mode

to hide the encrypted passwords. In addition, a trusted system provides

other useful security features such as auditing and login passwords

with lengths greater than 8 characters. Also, more options are

available, such as password length requirements, and password

aging. (This, combined with other criteria, mean that HP-UX in

trusted mode is "C2 compliant.")

For HP-UX 11.22 and later, the encrypted passwords can be hidden by

converting to "shadowed" passwords. The encrypted string is removed

from /etc/passwd and placed into the /etc/shadow

file. This file is only readable and accessible by root.

Converting to trusted mode or shadow passwords may break compatibility with

some of the software on your system. Any program that does not use the

standard interfaces to authenticate user passwords will be unable to access

the encrypted password string and therefore unable to authenticate the user.

Shadow passwords are used on several other versions of Unix(TM), so they are

less likely to cause problems for cross-platform applications. However,

some versions of the tool "sudo" were incompatible with trusted mode HP-UX.

LDAP (Lightweight directory access protocol) is compatible with shadow

passwords, but not compatible with trusted mode. If you use LDAP, you

should not answer Yes to any question which requires trusted mode.

If you are using NIS, NIS+, or DCE authentication DO NOT convert to

shadowed passwords Shadowed passwords are incompatible with NIS (for

good reason, since the encrypted passwords are sent in clear text over

the network anyway). The shadow password documentation still indicates

that NIS+ and DCE are incompatible with shadowed passwords, so Bastille

will not do the conversion if a conflict is detected. For more information

see the manual page for pwconv(1M) and nsswitch.conf(1M).

NOTE: After converting to shadowed passwords ensure that /etc/shadow is

being backed up along with /etc/passwd.

NOTE: The Access Control List feature available on trusted systems is

not supported on older versions of the JFS file system. (You will need at

least version 3.3 of JFS if you want to use this feature).

WARNING: If you have a large number of accounts on this system, the

conversion may take up to several minutes.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,

see TODO list for details)

Account Security Q: Would you like to password protect single-user mode? [N]

By password protecting single-user mode you will provide

limited protection against anyone who has physical access to the

machine, because they cannot simply reboot and have root access