HP-UX 11i March 2002 Release Notes
Security
Configurable Security Features
Chapter 11
191
Configurable Security Features
new at 11i
original release
Administrators now have a new convenient way to customize security features. A new
/etc/default/security file is defined. Editing this file provides a way to configure new
security features or to modify the behavior of existing security features.
A PASSWORD_HISTORY_DEPTH=<
n
> parameter can be added to /etc/default/security
to enable a new password history feature, which forces users to choose passwords that do
not match their most recent <n> passwords.
A MIN_PASSWORD_LENGTH=<
n
> parameter can be added to /etc/default/security to
force users to choose passwords which have at least <n> characters.
A SU_ROOT_GROUP=<
groupname
> parameter can be added to /etc/default/security to
allow users to su to root only if they are a member of the <
groupname
> group.
See security (4) for additional parameters and details.
Password History Feature on Trusted Systems
Password history is a new trusted-system feature of the passwd command, used to
discourage users from re-using previously used passwords.
The system administrator enables the system-wide password history feature by creating
(or opening, if it already exists) a file called /etc/default/security and appending an
entry:
PASSWORD_HISTORY_DEPTH=number
Depending on the value of number (decimal integer from 1 through 10), the system
checks the user’s new password against that number of previously used passwords and
prevents their usage. (For example, if number=5, the system will not allow a user to use
any of the last five passwords he or she has previously used.)
Structurally, the password history feature is accomplished by a shared library, called
libpam_unix.1, which is dynamically loaded at run time by the command. This
structural characteristic is totally transparent to users; the end-user interface of the
command is unchanged.
For further information, consult the passwd (1) manpage.