A while back we had a god at this. We got as far as this before other business pressures took over. I'm not sure if it actually works, but it might provide a pointer:-
Quote:
In /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files contains the following in the password statements:-
The plan then was to move people into the group privgrp if they had elevated privileges which mainly was considered as people with sudo rules for anything except where tied into the application, so those who could reset passwords, those who could become the superuser account etc. The limits are set for minimum of 8 for normal users and 12 for privileged, but I'm sure you can adjust that. We also require passwords to contain a mixture of upper & lower case, numerics and punctuation. We've had a few issues on some servers with characters #, £ and @ so bear that in mind when publishing guidelines. Worst affected for us on HP-UX, but it's a known limitation.
I hope that this gives you a pointer. I don't think it was actually fully implemented so I can't be sure it actually has any effect. Please test it thoroughly before committing to it. It would be worth having multiple sessions as a superuser before saving the files so you have a chance to undo them if they cause a problem.
I hope that this is useful, or prompts someone else to chip in, perhaps proving me wrong. I'm always happy to learn.
So I've just done my first install of Solaris. I installed it on an x86 system and am now in the processing of figuring out what I need to do to 'harden' it. I've got the Security kit downloaded (jass) but I am not sure what to do with the .tar file.
I can't seem to find any easy steps to... (6 Replies)
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
Pam Module sending a cannot get password enry after certain period in /var/adm/message.
pam_login_limit(auth): Cannot get Password entry for user 'dbsnmp'
What is dbsnmp? Also if account is locked does pam module checks for this locked account at regular interval and keeps on posting... (2 Replies)
Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too.
So everything is fine, but I want... (0 Replies)
I am dealing with an FTP server and I have implemented password hardening on the server. The thing is that, it applies to SSH connection.
I forcefully expired password of a user so that he can change password at next login. But the user logged in to the server through FTP and he wasn't asked to... (4 Replies)
We've got a FTP server that's open to the public network and its running on Suse SUSE Linux Enterprise Server 11 (x86_64) SP2
Now, since it's an FTP server I can't disable that service, but how else do I harden this server from attacks from outside?
I am thinking of disabling the firewall and... (3 Replies)
Hello All,
I have Sun DSEE7 (11g) on Solaris 10.
I have run idsconfig and initialized ldap client with profile created using idsconfig.
My ldap authentication works. Here is my pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login ... (3 Replies)
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Does anyone have any experience hardening the c-icap.conf file? Here is the default config file, it has a lot of options; sorry about how long it is. I have removed some entries that were not needed as well, but it is still so long :D. Any help is much appreciated as I have never dealt with ICAP.
... (0 Replies)
Discussion started by: savigabi
0 Replies
LEARN ABOUT HPUX
pam_dce
pam_dce(5)pam_dce(5)NAME
pam_dce - authentication, account, and password management PAM functions for DCE
SYNOPSIS
/usr/lib/security/libpam_dce.so.1
DESCRIPTION
The DCE PAM modules allow integration of DCE into the system entry services (such as login, telnet, rlogin, ftp) through the pam.conf(4)
file. The DCE service module for PAM consists of the following three modules: the authentication module, the account management module,
and the password management module. All three modules are supported through the same loadable library, /usr/lib/security/libpam_dce.so.1
is the interface that services the requests from These requests will be communicated to the DCE security server, which in turn sends the
response back to ilogind. This response is then sent back to /usr/lib/security/libpam_dce.so.1.
Authentication Module
The authentication module certifies the identity of a user and the user's credentials. It passes the authentication key derived from the
user's password to the DCE Security Service. The Security Service then uses the authentication key to certify the user and the user's cre-
dentials. The following options can be passed to the authentication module through the pam.conf(4) file:
debug Turn on syslog debugging at the LOG_DEBUG level.
nowarn Turn off warning messages about not being able to acquire DCE credentials.
use_first_pass Use the initial password (entered when the user is authenticated to the first authentication module in the stack) to
authenticate with DCE. If the user can not be authenticated or if this is the first authentication module in the
stack, quit and do not prompt a password. It is recommended that this option be used only if the authentication mod-
ule is designated as optional in the pam.conf(4) configuration file.
try_first_pass Use the initial password (entered when the user is authenticated to the first authentication module in the PAM stack)
to authenticate with DCE. If the user cannot be authenticated or if this is the first authentication module in the
stack, prompt for a password.
A user must be authenticated and the user's credentials set before a system entry service can access any file directories owned by the user
that are mounted through DTS.
Account Management Module
The account management module provides a function to perform account management (pam_sm_acct_mgmt(3)). sends a request to the
DCE implementation of pam_sm_acct_mgmt(3) function which retrieves the user's account and password expiration information from the DCE
Security Server and verifies that the user's account and password have not expired. The following options can be passed to the account
module through the pam.conf(4) file:
debug Turn on syslog debugging at the LOG_DEBUG level.
nowarn Turn off warning messages displayed when a user's account and/or password are going to expire.
pam_sm_acct_mgmt(3) calls the function sec_login_inquire_net_info(3) to retrieve information about when a user's account and/or password is
going to expire.
Password Management Module
The password management module provides a function to change passwords (pam_sm_chauthtok(3)). The following options can be passed to the
password module through the pam.conf(4) file:
debug Turn on syslog debugging at the LOG_DEBUG level.
nowarn Turn off warning messages about not being able to change passwords.
try_first_pass Use the initial password (entered to the first password module in the PAM stack) to authenticate with DCE. If the
user cannot be authenticated or if this is the first password module in the stack, prompt for a password.
use_first_pass Use the initial password (entered to the first password module in the PAM stack) to authenticate with DCE. If user
cannot be authenticated or if this is the first password module in the stack, quit and do not prompt for a password.
It is recommended that this option be used only if the DCE password module is designated as optional in the
pam.conf(4) configuration file.
SEE ALSO pam(3), sec_login_setup_identity(3), sec_login_valid_and_cert_ident(3), sec_login_set_context(3), sec_login_inquire_net_info(3),
pam.conf(4), pam_unix(5)ilogind(1m)HP DCE pam_dce(5)
12-01-2014
