HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
s
security(4) security(4)
NAME
security - security defaults configuration file
DESCRIPTION
A number of system commands and features are configured based on certain attributes defined in the
/etc/default/security
configuration file. This file must be world readable and root writable.
Each line in the file is treated either as a comment or as configuration information for a given system com-
mand or feature. Comments are denoted by a
# at the beginning of a line. Noncomment lines are of the
form,
attribute=value
.
If any attribute is not defined or is commented out in this file, the default behavior detailed below will
apply. The default value of each attribute is defined in the
/etc/security.dsc
file.
Attribute definitions, valid values, and defaults are defined as follows:
ABORT_LOGIN_ON_MISSING_HOMEDIR
This attribute controls login behavior if a user’s home directory does not exist. Note
that this is only enforced for non-root users and only applies to the
login command
or those services that indirectly invoke
login such as the telnetd and rlogind
commands.
ABORT_LOGIN_ON_MISSING_HOMEDIR=0
Login with ’/’ as the home directory
if the user’s home directory does not exist.
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
Exit the login session if the user’s
home directory does not exist.
Default value:
ABORT_LOGIN_ON_MISSING_HOMEDIR=0
ALLOW_NULL_PASSWORD
This attribute determines whether or not users with a null password can login. It
does not apply to trusted systems. This attribute is supported only for non-root users
managed by pam_unix (described in pam_unix(5)); this typically includes local and
NIS users. For local users, the system-wide default defined here in
/etc/default/security
may be overridden by defining a per-user value in
/var/adm/userdb (described in userdb(4)).
ALLOW_NULL_PASSWORD=0
Users with a null password cannot login.
ALLOW_NULL_PASSWORD=1
Users with a null password can login.
Default value:
ALLOW_NULL_PASSWORD=1
AUDIT_FLAG
This attribute controls whether or not users are to be audited. It does not apply to
trusted systems. This attribute is supported for users in all name server switch repo-
sitories, such as local, NIS and LDAP. This attribute is enforced in the
pam_hpsec
service module, and requires that the pam_hpsec module be configured in
/etc/pam.conf . See pam_hpsec(5). The system-wide default defined here may be
overridden by defining a per-user value in /var/adm/userdb
(described in
userdb(4)). For more information about HP-UX auditing, see audit(5).
AUDIT_FLAG=0 Do not audit.
AUDIT_FLAG=1 Audit.
Default value: AUDIT_FLAG=1
AUTH_MAXTRIES
This attribute controls whether an account is locked after too many consecutive
authentication failures. It does not apply to trusted systems. This attribute is sup-
ported for users in all name server switch repositories, such as local, NIS and LDAP.
This attribute is enforced in the pam_hpsec service module, and requires that the
pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). Other
PAM service modules in your configuration may enforce additional restrictions. The
system-wide default defined here may be overridden by defining a per-user value in
/var/adm/userdb (described in userdb(4)).
When an account has been locked due to too many authentication failures, root can
unlock the account by this command:
412 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007