Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
191192193194195196197198199200
Lifetime The time at which the account associated with the password is
locked if the password is not changed. Once an account is
locked, only the system administrator can unlock it. Once
unlocked, the password must still be changed before the user
can log into the account.
The expiration time and lifetime values are reset when a password is changed. A lifetime
of zero specifies no password aging; in this case, the other password aging times have
no effect.
A.3.4 Password History and Password Reuse
You can enable the password history feature on a systemwide basis to discourage users
from reusing previous passwords.
You enable the password reuse check by defining the PASSWORD_HISTORY_DEPTH
attribute in the /etc/default/security file:
PASSWORD_HISTORY_DEPTH=n
where n is an integer specifying the number of previous passwords to check.
When a user changes the password, the new password is checked against the previous
n passwords, starting with the current password. If the system finds a match, it rejects
the new password. An n of 2 prevents users from alternating between two passwords.
For more information, see passwd(1) and security(4).
A.3.5 Time-Based Access Control
On trusted systems, you can specify times-of-day and days-of-week that are allowed for
login for each user. When a user attempts to log in outside the allowed access time, the
event is logged (if auditing is enabled for login failures and successes) and the login is
terminated. A superuser can log in outside the allowed access time, but the event is
logged. The permitted range of access times is stored in the protected password database
for users and can be set with HP SMH. Users that are logged in when a range ends are
not logged out.
A.3.6 Device-Based Access Control
For each MUX port and dedicated DTC port on a trusted system, you can specify a list
of users allowed for access. When the list is null for a device, all users are allowed
access.
The device access information is stored in the device assignment database, /tcb/files/
devassign, which contains an entry for each terminal device on the trusted system. A
field in the entry lists the users allowed on the device.
Terminal login information on a trusted system is stored in the terminal control database,
/tcb/files/ttys, which provides the following data for each terminal:
Device name
User ID of the last user to successfully log into the terminal
Last successful login time to the terminal
196 Trusted Systems