Administrator's Guide
• Keep telephone numbers for modems unlisted and on a different system from other
business phones. Do not publicize the dial-in phone numbers.
• Physically secure the modems.
• Use caller ID to identify all incoming calls to the modems.
• Do not allow call forwarding or other extra phone services on the modem lines. Do
not use cell phone modems.
• For remote and local access, consider installing an HP-UX AAA server product.
Using the industry-standard Remote Authentication Dial-In User Service (RADIUS)
protocol, the HP-UX AAA Server provides authentication, authorization, and
accounting of user network access at the entry point to a network. See the HP-UX
AAA Server Administrator's Guide for more information.
2.9.1 Controlling Access Using /etc/dialups and /etc/d_passwd
For additional security in identifying remote users, add entries into the /etc/dialups
and /etc/d_passwd files. These files are used to control the dialup security feature of
login. See dialups(4) and login(1) for more information.
If the /etc/dialups file exists, the login process compares the terminal to those listed
in /etc/dialups. If the terminal exists in /etc/dialups, a password is requested
by login. That password is compared to those in /etc/d_passwd.
In addition, the /etc/passwd file is used to verify the password.
Following is an example of configuring the /etc/dialups file:
# vi /etc/dialups (list the terminals that are allowed)
/dev/ttyd0p1
/dev/ttyd0p2
# vi /etc/d_passwd
/usr/bin/sh:xxxencrypted-passwordxxxxxxxxx:comments
/usr/bin/ksh:xxxencrypted-passwordxxxxxxxx:comments
/sbin/sh:xxxencrypted-passwordxxxxxxxxx:comments
The user sees:
Login:
Password:
Dialup password:
To change passwords in /etc/d_passwd, use the passwd command as follows:
# passwd -F /etc/d_passwd shell_path
The shell_path is the shell path listed in /etc/d_passwd.
56 Administering User and System Security