Manualshelf

HP-UX Shadow Passwords Version B.11.11.02 Product Note

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
12345678910
HP-UX Shadow Passwords Product Note
Overview
Chapter 1
1
1 HP-UX Shadow Passwords Product
Note
Overview
Increasing computational power available to password crackers has made the
non-hidden passwords in the UNIX /etc/passwd file vulnerable to decryption. Shadow
Passwords enhance system security by hiding user-encrypted passwords in a shadow
password file. Usually, encrypted passwords are stored in the /etc/passwd file that is
accessible to all users. With Shadow Passwords, the encrypted passwords can be
optionally moved to the /etc/shadow file, which is accessible only to a super user.
Features and benefits
The HP-UX Shadow Passwords product provides the following features and benefits:
Security
Shadow Passwords are important for system security. They are less vulnerable to
decryption as they are accessible only to a super user.
Configurability
After installation, run the pwconv command to enable Shadow Passwords. Run the
pwunconv command to disable Shadow Passwords.
Compatibility
If Shadow Passwords are not enabled, there is no impact on other applications.
Otherwise, applications may be affected only if they directly access the password
field of /etc/passwd with the assumption that password and aging information
reside there. That field will now contain an ‘x’ indicating that the information is in
/etc/shadow. Applications are not affected if they use the preferred pam interfaces
to authenticate.
Conformance to Standards
The HP-UX Shadow Passwords product is based on the de-facto standard provided in
other UNIX flavors, including Sun Solaris and Linux. Applications that run on those
platforms can be ported with little or no change.
Requirements and restrictions
This product requires HP-UX 11i v1.
Shadow Passwords are supported with files and ldap, but are not supported with other
nameserver switch backends, such as NIS or NIS+. To configure your system to use only
files or ldap or both, ensure that the passwd: line in /etc/nsswitch.conf contains
only files or ldap or both. If /etc/nsswitch.conf does not exist, or if the passwd: line
is not present, the default is files.