Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Configuring HP-UX Bastille: Interview
Bastille Configuration Questions and Explanations for HP-UX
Appendix B 971
they may end up writing the password down (a very bad security practice.)
Thus, it is important to set password policies which conform to your overall
security policies but do not unduly burden your users.
On HP-UX 11.11 and prior, this will ensure that the system is converted to
trusted mode, enable password aging and allow you to change some basic
defaults. You should
use SAM to further configure your policies. For HP-UX 11.22 and later,
Bastille is able to configure several of these policies on a more granular
basis, and conversion to trusted mode is unnecessary for most options. Answering
'Yes' to this question will ensure that your system is converted to shadowed
passwords on HP-UX 11.22 and later.
Trusted mode and password shadowing are incompatible with NIS (an insecure protocol),
so if you wish to use NIS passwords on this system, you should not
select this option.
NOTE: These are applicable only for non-root users and only for services
which properly use PAM, Pluggable Authentication Module, for authentication.
Account Security Q: What should the minimum length of NEW passwords be? [8]
The MIN_PASSWORD_LENGTH parameter controls the minimum length
of new passwords. This policy will not be enforced for the root user on an
untrusted system.
MIN_PASSWORD_LENGTH=N New passwords must contain at
least N characters. For untrusted systems N can be any
value from 6 to 8. For trusted systems N can be any
value from 6 to 80.
Long passwords are generally harder to crack than short ones, but enforcing
long passwords may also increase the chance of users writing down their
passwords (which is a very bad security practice).
Account Security Q: Would you like to set a password history depth? [N]
The PASSWORD_HISTORY_DEPTH parameter controls the password
history depth. A new password is checked only against the number of
most recently used passwords stored in password history for a particular
user. A user is not allowed to re-use a previously used password that
is stored in the history.
Answering this question 'Yes' will cause the system to be converted
to trusted mode and give you a chance to set the password history
depth.
Account Security Q: Enter the password history depth. [3]
The PASSWORD_HISTORY_DEPTH parameter controls the password
history depth. A new password is checked only against the number of
most recently used passwords stored in password history for a particular