Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
191192193194195196197198199200
Security Administrator's Responsibilities
The security administrator and every user on the system must share responsibility for
password security. The security administrator performs the following security tasks:
Generates temporary passwords for new users. This password must be used for first
login. When this number has been verified, the new user is prompted for a new
password.
Maintains proper permissions on all system files, including the standard password
file, /etc/passwd, and the trusted database files, /tcb/files/auth/*.
Establishes password aging.
Manages password reuse.
Deletes or nullifies expired passwords, user IDs, and passwords of users no longer
eligible to access the system.
User's Responsibilities
Every user must observe the following rules:
Remember the password and keep it secret at all times.
Change the initial password immediately; thereafter, change the password regularly.
Report any changes in status and any suspected security violations.
Make sure no one is watching when you enter the password.
Choose a different password for each machine on which you have an account.
A.3.1 Password Files
A trusted system maintains multiple password files: the /etc/passwd file and the files
in the protected password database /tcb/files/auth/ (see The /tcb/files/auth/
Database). Each user has an entry in two files, and login looks at both entries to
authenticate login requests.
All passwords are encrypted immediately after entry and stored in
/tcb/files/auth/user-char/user-name, the user's protected password database
file. Only the encrypted password is used in comparisons.
Do not permit any empty (null) password fields in either password file. On trusted systems,
the password field in /etc/passwd is ignored. A user with an empty password will be
forced to set a password upon login on a trusted system. However, even this leaves a
potential for a security breach, anyone logging in to this account is required to set the
password.
Do not edit the password files directly. Use HP SMH, useradd, userdel, or usermod
to modify password file entries.
A.3.1.1 The /etc/passwd File
A trusted system uses the /etc/passwd file to identify a user at login time. The file
contains an entry for every account on the HP-UX system. Each entry consists of seven
fields, separated by colons. A typical entry for /etc/passwd in a trusted system looks
like this:
A.3 Managing Trusted Passwords and System Access 193