ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login session if the user s home directory does not exist. Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0

Transcription

1 NAME security - security defaults configuration file DESCRIPTION A number of system commands and features are configured based on certain attributes defined in the /etc/default/security configuration file. This file must be world readable and root writable. Each line in the file is treated either as a comment or as configuration information for a given system command or feature. Comments are denoted by a # at the beginning of a line. Noncomment lines are of the form, attribute=value. If any attribute is not defined or is commented out in this file, the default behavior detailed below will apply. The default value of each attribute is defined in the /etc/security.dsc file. Attribute definitions, valid values, and defaults are defined as follows: ABORT_LOGIN_ON_MISSING_HOMEDIR This attribute controls login behavior if a user s home directory does not exist. Note that this is only enforced for non-root users and only applies to the login command or those services that indirectly invoke login such as the telnetd and rlogind commands. ABORT_LOGIN_ON_MISSING_HOMEDIR=0 Login with / as the home directory if the user s home directory does not exist. ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login session if the user s home directory does not exist. Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0 ALLOW_NULL_PASSWORD This attribute determines whether or not users with a null password can login. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix (5)); this typically includes local and NIS users. On a system in standard or shadow mode, it also applies to root if LOGIN_POLICY_STRICT=1. For local users, the system-wide default defined here in /etc/default/security may be overridden by defining a peruser value in /var/adm/userdb (described in userdb(4)). ALLOW_NULL_PASSWORD=0 Users with a null password cannot login. ALLOW_NULL_PASSWORD=1 Users with a null password can login. Default value: ALLOW_NULL_PASSWORD=1 AUDIT_FLAG This attribute controls whether or not users are to be audited. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). For more information about HP-UX auditing, see audit (5). AUDIT_FLAG=0 Do not audit. AUDIT_FLAG=1 Audit. Default value: AUDIT_FLAG=1 AUTH_MAXTRIES This attribute controls whether an account is locked after too many consecutive authentication failures. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). HP-UX 11i Version 3: March Hewlett-Packard Company 1

2 When an account has been locked due to too many authentication failures, root can unlock the account by this command: userdbset -d -u username auth_failures AUTH_MAXTRIES=0 Any number of authentication retries is allowed. AUTH_MAXTRIES=N An account is locked after N+1 consecutive authentication failures. N can be any positive integer. Default value: AUTH_MAXTRIES=0 BOOT_AUTH This attribute controls whether authentication is required to boot the system into single user mode. If enabled, the system cannot be booted into single user mode until the password of an authorized user is provided. This attribute does not apply to trusted systems. However, if boot authentication is enabled on a standard system, then when the system is converted to a trusted system, boot authentication will also be enabled as default for the trusted system. BOOT_AUTH=0 Boot authentication is turned OFF. BOOT_AUTH=1 Boot authentication is turned ON. Default value: BOOT_AUTH=0 BOOT_USERS This attribute defines the names of users who are authorized to boot the system into single user mode from the console. Names are separated by a comma (,). It only takes effect when boot authentication is enabled. Refer to the description of the BOOT_AUTH attribute. The BOOT_USERS attribute does not apply to trusted systems. However, when a standard system is converted to a trusted system, this information is translated. For example: BOOT_USERS=mary,jack Other than the root user, user mary or jack can also boot the system into single user mode from the console. Default value: BOOT_USERS=root CRYPT_ALGORITHMS_DEPRECATE This attribute lists the password hash algorithms that must be deprecated when a user s password is changed. This attribute is only valid when the SHA11i3 product is installed. CRYPT_DEFAULT This attribute specifies the default password hash algorithm. It is used when a new user password is created, and either the user did not have a password before or the old password was hashed with a deprecated algorithm (listed in CRYPT_ALGORITHMS_DEPRECATE). The value of CRYPT_DEFAULT should not be present in CRYPT_ALGORITHMS_DEPRECATE. This attribute is only valid when the SHA11i3 product is installed. CRYPT_DEFAULT= unix The default hash algorithm is the traditional DES-based algorithm. Refer to crypt (3C) for more information. CRYPT_DEFAULT=6 The default hash algorithm is method 6, a newer hash algorithm based on SHA-512. For example: CRYPT_ALGORITHMS_DEPRECATE= unix CRYPT_DEFAULT=6 If a user s password is created for the first time, it is hashed using method 6. Or if a user s old password was hashed using unix, the new password is hashed using method 6. Default value: CRYPT_DEFAULT= unix 2 Hewlett-Packard Company 2 HP-UX 11i Version 3: March 2012

3 DISPLAY_LAST_LOGIN This attribute controls whether a successful login displays the date, time and origin of the last successful login and the last authentication failure. Times are displayed using the system s time zone. See the discussion of time zones in the Notes section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). DISPLAY_LAST_LOGIN=0 Information is not displayed. DISPLAY_LAST_LOGIN=1 Information is displayed. Default value: DISPLAY_LAST_LOGIN=1 INACTIVITY_MAXDAYS This attribute controls whether an account is locked if there have been no logins to the account for a specified time interval. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix (5)); this typically includes local and NIS users. On a system in standard or shadow mode, it also applies to root if LOGIN_POLICY_STRICT=1. In most cases this attribute can be enforced only as a system-wide default, however, for local users on a shadow password system, the system-wide default defined here in /etc/default/security may be overridden by defining a per-user value in the inactivity field of /etc/shadow with either one of these commands: useradd -f inactive_maxdays usermod -f inactive_maxdays When an account has been locked due to this feature, root can unlock the account by this command: userdbset -d -u username login_time INACTIVITY_MAXDAYS=0 Inactive accounts are not expired. INACTIVITY_MAXDAYS=N Inactive accounts are expired if there have been no logins to the account for at least N days. N can be any positive integer. Default value: INACTIVITY_MAXDAYS=0 LOGIN_POLICY_STRICT This attribute imposes restrictions on root login and authentication. These are restrictions which already apply to normal users. LOGIN_POLICY_STRICT=0 User root is not subject to login restrictions. LOGIN_POLICY_STRICT=1 Authentication of user root is subject to the following: Enforce ALLOW_NULL_PASSWORD (does not allow root login with a null password). Enforce INACTIVITY_MAXDAYS (does not allow login for a stale root account). The LOGIN_POLICY_STRICT attribute is only valid if the libpam_unix patch PHCO_40838 or later is installed. Default value: LOGIN_POLICY_STRICT=0 LOGIN_TIMES This attribute restricts logins to specific time periods. Login time restrictions are based on the system s time zone. See the discussion of time zones in the Notes section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in HP-UX 11i Version 3: March Hewlett-Packard Company 3

4 /var/adm/userdb (described in userdb(4)). LOGIN_TIMES=timeperiod An account is locked if the current time is not within the specified time period. The timeperiod consists of any number of day and time ranges separated by colons. A user is allowed to access the system when the login time is within any of the specified ranges. The days are specified by the following abbreviations: Su Mo Tu We Th Fr Sa Wk Any Where Wk is all week days and Any is any day of the week. A time range can be included after the day specification. A time range is a 24-hour time period, specified as hours and minutes separated by a hyphen. Each time must be specified with 4 digits (HHMM-HHMM ). Leading zeros are required. This time range indicates the start and end time for the specified days. The start time must be less than the end time. When no time range is specified, all times within the day(s) are valid. If the current time is within the range of any of the time ranges specified for a user, the user is allowed to access the system. Do not use as a time range to prevent user access. For example, Any:Fr cannot be used to disallow access on Fridays. Instead, SuMo- TuWeThSa should be used. See the EXAMPLES section. Default value: LOGIN_TIMES=Any Can login any day of the week. LONG_PASSWORD This attribute determines whether or not the length of a password can exceed 8 characters. This attribute is valid only when the LongPassword11i3 product is installed and the password hash algorithm is different from the traditional DES-based hash algorithm, see CRYPT_DEFAULT. LONG_PASSWORD=0 Passwords are limited to 8 characters. LONG_PASSWORD=1 Passwords can have more than 8 characters. Default value: LONG_PASSWORD=0 MIN_PASSWORD_LENGTH This attribute controls the minimum length of new passwords. On trusted systems it applies to all users. On standard systems it applies to non-root local users and to NIS users. On systems in standard or shadow mode, it applies to root if PASSWORD_POLICY_STRICT=1. The system-wide default defined here may be overridden by defining per-user values in /var/adm/userdb (described in userdb(4)). MIN_PASSWORD_LENGTH=N New passwords must contain at least N characters. For standard systems, N can be any value from 3 to 8. For trusted systems, N can be any value from 6 to 80. Default value: MIN_PASSWORD_LENGTH=6 NOLOGIN This attribute controls whether non-root login can be disabled by the /etc/nologin file. Note that this attribute only applies to the applications that use session management services provided by pam_hpsec as configured in /etc/pam.conf, or those services that indirectly invoke login such as the telnetd and rlogind commands. Other services may or may not choose to enforce the /etc/nologin file. NOLOGIN=0 Ignore the /etc/nologin file and do not exit if the /etc/nologin file exists. NOLOGIN=1 Display the contents of the /etc/nologin file and exit if the /etc/nologin file exists. Default value: NOLOGIN=0 4 Hewlett-Packard Company 4 HP-UX 11i Version 3: March 2012

5 OVERRIDE_SYSDEF_PWAGE This attribute applies to shadow mode only. During a password change it determines if password aging attributes max days, min days and warn days (described in shadow(4)) are inherited from the /etc/default/security values when no password aging is specified in the shadow file. This attribute is applicable to local users. The system-wide default value defined for this attribute in /etc/default/security may be overridden by defining a per-user value in /var/adm/userdb (described in Userdb(4)). OVERRIDE_SYSDEF_PWAGE=0 The password aging attributes defined in /etc/default/security are inheritable when a password is changed. OVERRIDE_SYSDEF_PWAGE=1 The default password aging values in /etc/default/security are ignored. Password aging attributes are read exclusively from the /etc/shadow file during a password change. Default value: OVERRIDE_SYSDEF_PWAGE=0 NUMBER_OF_LOGINS_ALLOWED This attribute controls the number of simultaneous logins allowed per user. Note that this is only enforced for non-root users and only applies to the applications that use session management services provided by pam_hpsec as configured in /etc/pam.conf, or those services that indirectly invoke login, such as the telnetd and rlogind commands. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are allowed per user. NUMBER_OF_LOGINS_ALLOWED=N N number of logins are allowed per user. Default value: NUMBER_OF_LOGINS_ALLOWED=0 PASSWORD_HISTORY_DEPTH This attribute controls the password history depth. A new password is checked against passwords stored in the user s password history. This prevents the user from re-using a recently used password. This attribute applies to local, non-root users. On a system in standard or shadow mode, it also applies to root if PASSWORD_POLICY_STRICT=1. For a trusted system, the maximum password history depth is 10 and the minimum is 1. For a standard system, the maximum password history depth is 24 and the minimum is 1. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). PASSWORD_HISTORY_DEPTH=N A new password is checked against the N most recently used passwords, including the current password. For example, a password history depth of 2 prevents a user from alternating between two passwords. Default value: PASSWORD_HISTORY_DEPTH=1 Cannot re-use the current password. PASSWORD_MIN_type_CHARS Attributes of this form are used to require new passwords to have a minimum number of characters of particular types (upper case, lower case, digits or special characters). This can be helpful in enforcing site security policies about selecting passwords that are not easy to guess. This attribute applies to local, non-root users. On a system in standard or shadow mode, it also applies to root if PASSWORD_POLICY_STRICT=1. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). HP-UX 11i Version 3: March Hewlett-Packard Company 5

6 PASSWORD_MIN_UPPER_CASE_CHARS=N Specifies that a minimum of N upper-case characters are required in a password when changed. PASSWORD_MIN_LOWER_CASE_CHARS=N Specifies that a minimum of N lower-case characters are required in a password when changed. PASSWORD_MIN_DIGIT_CHARS=N Specifies that a minimum of N digit characters are required in a password when changed. PASSWORD_MIN_SPECIAL_CHARS=N Specifies that a minimum of N special characters are required in a password when changed. Default value: The default for each of these attributes is zero. PASSWORD_MAXDAYS This attribute controls the default maximum number of days that passwords are valid. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The passwd -x option can be used to override this value for a specific user. PASSWORD_MAXDAYS=N A new password is valid for up to N days, after which the password must be changed. N can be an integer from -1 to 441. Default value: PASSWORD_MAXDAYS=-1 password aging is turned off. PASSWORD_MINDAYS This attribute controls the default minimum number of days before a password can be changed. This value is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the user. The value is stored persistently and takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The passwd -n option can be used to override this value for a specific user. PASSWORD_MINDAYS=N A new password cannot be changed until at least N days since it was last changed. N can be an integer from 0 to 441. Default value: PASSWORD_MINDAYS=0 PASSWORD_POLICY_STRICT This attribute imposes restrictions when root is changing passwords. These restrictions already apply to normal users. PASSWORD_POLICY_STRICT=0 User root is not subject to restrictions when changing passwords. PASSWORD_POLICY_STRICT=1 When user root changes a password, restrictions are imposed as follows. The next two restrictions apply to root only when changing root s own password. They do not apply when root is changing the password of a normal user. Prompt and require root to input the old password. Enforce minimal difference between old and new password. All of the remaining restrictions apply to root changing any password, either root s own password or the password for a different user. Enforce PASSWORD_MINDAYS. Enforce configurable minimal password length, MIN_PASSWORD_LENGTH. Enforce configurable password quality as defined by the attributes PASSWORD_MIN_UPPER_CASE_CHARS, PASSWORD_MIN_LOWER_CASE_CHARS, PASSWORD_MIN_DIGIT_CHARS, PASSWORD_MIN_SPECIAL_CHARS. Enforce the hardwired minimal password quality (at least 2 alpha and 1 nonalpha characters). Enforce PASSWORD_HISTORY_DEPTH. 6 Hewlett-Packard Company 6 HP-UX 11i Version 3: March 2012

7 The PASSWORD_POLICY_STRICT attribute is only valid if the libpam_unix patch PHCO_40838 or later is installed. Default value: PASSWORD_POLICY_STRICT=0 PASSWORD_WARNDAYS This attribute controls the default number of days before password expiration that a user is to be warned that the password must be changed. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users on shadow password systems. The passwd -w option can be used to override this value for a specific user. PASSWORD_WARNDAYS=N Users are warned N days before their password expires. N can be an integer from 0 to 441. Default value: PASSWORD_WARNDAYS=0 (no warning) SU_DEFAULT_PATH This attribute defines a new default PATH environment value to be set when su to a non-superuser account is done. Refer to su(1). SU_DEFAULT_PATH=new_PATH The PATH environment variable is set to new_path when the su command is invoked. The path value is not validated. This attribute does not apply to a superuser account, and is applicable only when the - option is not used with the su command. Default value: If this attribute is not defined or if it is commented out, PATH is not changed. SU_KEEP_ENV_VARS This attribute forces su to propagate certain unsafe environment variables to its child process despite the security risk of doing so. Refer to su(1). By default, su does not export the environment variables HOME, ENV, IFS, SHLIB_PATH or LD_* because they could be maliciously misused. Any combination of these can be specified in this entry, with a comma separating the variables. Currently, no other environment variables may be specified in this way. This may change in future HP-UX releases as security needs require. SU_KEEP_ENV_VARS=var1,var2,...,varN Default value: If this attribute is not defined or if it is commented out, these environment variables will not be propagated by the su command. SU_ROOT_GROUP This attribute defines the root group name for the su command. Refer to su(1). SU_ROOT_GROUP=group_name The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a member of the specified root group to be allowed to su to root. This does not alter password checking. Default value: If this attribute is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to su to root without being bound by root group restrictions. UMASK This attribute controls umask() of all sessions initiated via pam_hpsec. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). It accepts values from 0 to 0777 as an unsigned octal integer (must have a leading zero to denote octal). The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)). UMASK=default_umask HP-UX 11i Version 3: March Hewlett-Packard Company 7

8 The current umask is set or restricted further with the value of default_umask. For trusted systems, the umask is also restricted so as not to exceed SEC_DEFAULT_MODE defined in /usr/include/hpsecurity.h. Default value: UMASK=0 Notes Use the functions defined in secdef (3) to read the values of the attributes defined in this file. The usage, possible values and default value of each of the attributes described in this manpage is defined in the /etc/security.dsc file. The behavior of some attributes is affected by the time zone. For these attributes the time zone is determined by the first line of the form TZ=timezone in the file /etc/timezone. If the time zone is not specified in this file, it is obtained from the file /etc/default/tz, as described in tzset (3C). EXAMPLES The following are examples of LOGIN_TIMES usage. SaSu:Wk The user can login to the system all day on weekends and after 6:00 pm on week days. MoWeFr :TuThSu The user can login to the system on Monday, Wednesday and Friday from 10:00 am to 2:00 pm and on Tuesday, Thursday, and Sunday from 8:00 am to 5:00 pm. Any The user can login to the system every day from 4:00 am until 1:00 pm. Any No day or time restrictions. This is the default. Mo :Tu The user can login to the system any time between Monday after 6:00 pm until Tuesday at 3:00 am. Mo :Mo The user can only login to the system on Mondays between midnight and 3:00 am or after 6:00 pm on Mondays. WARNINGS HP-UX 11i Version 3 is the last release to support trusted systems functionality. AUTHOR The security file was developed by HP. FILES /etc/default/security /etc/security.dsc /var/adm/userdb security defaults configuration file security attributes description file user database SEE ALSO login(1), passwd(1), su(1), init(1m), userstat(1m), secdef(3), pam.conf(4), userdb(4), pam_hpsec(5), pam_unix(5). 8 Hewlett-Packard Company 8 HP-UX 11i Version 3: March 2012