security(4)security(4)NAMEsecurity - security defaults configuration file
DESCRIPTION
A number of system commands and features are configured based on cer‐
tain attributes defined in the configuration file. This file must be
world readable and root writable.
Each line in the file is treated either as a comment or as configura‐
tion information for a given system command or feature. Comments are
denoted by a at the beginning of a line. Noncomment lines are of the
form,
If any attribute is not defined or is commented out in this file, the
default behavior detailed below will apply. The default value of each
attribute is defined in the file.
Attribute definitions, valid values, and defaults are defined as fol‐
lows:
This attribute controls login behavior if a user's home direc‐
tory
does not exist. Note that this is only enforced
for non-root users and only applies to the com‐
mand or those services that indirectly invoke
such as the and commands.
Login with as the home directory if the user's
home directory does not exist.
Exit the login session if the user's home direc‐
tory does not exist.
Default value:
This attribute determines whether or not users with a null pass‐
word can login.
It does not apply to trusted systems. This
attribute is supported only for non-root users
managed by pam_unix (described in pam_unix(5));
this typically includes local and NIS users. On
a system in standard or shadow mode, it also
applies to root if For local users, the system-
wide default defined here in may be overridden by
defining a per-user value in (described in
userdb(4)).
Users with a null password cannot login.
Users with a null password can login.
Default value:
This attribute controls whether or not users are to be audited.
It does not apply to trusted systems. This
attribute is supported for users in all name
server switch repositories, such as local, NIS
and LDAP. This attribute is enforced in the ser‐
vice module, and requires that the module be con‐
figured in See pam_hpsec(5). The system-wide
default defined here may be overridden by defin‐
ing a per-user value in (described in userdb(4)).
For more information about HP-UX auditing, see
audit(5).
Do not audit.
Audit.
Default value:
This attribute controls whether an account is locked
after too many consecutive authentication fail‐
ures. It does not apply to trusted systems.
This attribute is supported for users in all name
server switch repositories, such as local, NIS
and LDAP. This attribute is enforced in the ser‐
vice module, and requires that the module be con‐
figured in See pam_hpsec(5). Other PAM service
modules in your configuration may enforce addi‐
tional restrictions. The system-wide default
defined here may be overridden by defining a per-
user value in (described in userdb(4)).
When an account has been locked due to too many
authentication failures, root can unlock the
account by this command:
Any number of authentication retries is allowed.
An account is locked after N+1 consecutive
authentication failures. N can be any positive
integer.
Default value:
This attribute controls whether authentication
is required to boot the system into single user
mode. If enabled, the system cannot be booted
into single user mode until the password of an
authorized user is provided.
This attribute does not apply to trusted systems.
However, if boot authentication is enabled on a
standard system, then when the system is con‐
verted to a trusted system, boot authentication
will also be enabled as default for the trusted
system.
Boot authentication is turned OFF.
Boot authentication is turned ON.
Default value:
This attribute defines the names of users who are
authorized to boot the system into single user
mode from the console. Names are separated by a
comma It only takes effect when boot authentica‐
tion is enabled. Refer to the description of the
attribute.
The attribute does not apply to trusted systems.
However, when a standard system is converted to a
trusted system, this information is translated.
For example:
Other than the root user, user or can also boot
the system into single user mode from the con‐
sole.
Default value:
This attribute lists the password hash algorithms that must be
deprecated when a user's password is changed.
This attribute is only valid when the SHA11i3
product is installed.
This attribute specifies the default password hash algorithm.
It is used when a new user password is created,
and either the user did not have a password
before or the old password was hashed with a dep‐
recated algorithm (listed in The value of should
not be present in
This attribute is only valid when the SHA11i3
product is installed.
The default hash algorithm is the traditional
DES-based algorithm. Refer to crypt(3C) for more
information.
The default hash algorithm is method 6, a newer
hash algorithm based on SHA-512.
For example:
If a user's password is created for the first
time, it is hashed using method Or if a user's
old password was hashed using the new password is
hashed using method
Default value:
This attribute controls whether a successful login
displays the date, time and origin of the last
successful login and the last authentication
failure. Times are displayed using the system's
time zone. See the discussion of time zones in
the section. This attribute does not apply to
trusted systems. This attribute is supported for
users in all name server switch repositories,
such as local, NIS and LDAP. This attribute is
enforced in the service module, and requires that
the module be configured in See pam_hpsec(5).
The system-wide default defined here may be over‐
ridden by defining a per-user value in (described
in userdb(4)).
Information is not displayed.
Information is displayed.
Default value:
This attribute controls whether an account is locked if there
have been no logins to the account for a speci‐
fied time interval. It does not apply to trusted
systems. This attribute is supported only for
non-root users managed by pam_unix (described in
pam_unix(5)); this typically includes local and
NIS users. On a system in standard or shadow
mode, it also applies to root if In most cases
this attribute can be enforced only as a system-
wide default, however, for local users on a
shadow password system, the system-wide default
defined here in may be overridden by defining a
per-user value in the field of with either one of
these commands:
When an account has been locked due to this fea‐
ture, root can unlock the account by this com‐
mand:
username
Inactive accounts are not expired.
Inactive accounts are expired if there have been
no logins to the account for at least N days. N
can be any positive integer.
Default value:
This attribute imposes restrictions on root login and authenti‐
cation.
These are restrictions which already apply to
normal users.
User root is not subject to login restrictions.
Authentication of user root is subject to the
following:
· Enforce (does not allow root login with a null
password).
· Enforce (does not allow login for a stale root
account).
The attribute is only valid if the patch
PHCO_40838 or later is installed.
Default value:
In both cases, enforcing ALLOW_NULL_PASSWORD or
INACTIVITY_MAXDAYS, there is a potential for the
root account to get locked out, in which case
root login from console is allowed to undo the
changes. If the root password is lost, the sys‐
tem has to be reset into single user mode to
reset the password.
This attribute restricts logins to specific time periods.
Login time restrictions are based on the system's
time zone. See the discussion of time zones in
the section. This attribute does not apply to
trusted systems. This attribute is supported for
users in all name server switch repositories,
such as local, NIS and LDAP. This attribute is
enforced in the service module, and requires that
the module be configured in See pam_hpsec(5).
Other PAM service modules in your configuration
may enforce additional restrictions. The system-
wide default defined here may be overridden by
defining a per-user value in (described in
userdb(4)).
An account is locked if the current time is not
within the specified time period. The timeperiod
consists of any number of day and time ranges
separated by colons. A user is allowed to access
the system when the login time is within any of
the specified ranges. The days are specified by
the following abbreviations:
Where is all week days and is any day of the
week.
A time range can be included after the day speci‐
fication. A time range is a 24-hour time period,
specified as hours and minutes separated by a
hyphen. Each time must be specified with 4 dig‐
its (HHMM-HHMM). Leading zeros are required.
This time range indicates the start and end time
for the specified days. The start time must be
less than the end time. When no time range is
specified, all times within the day(s) are valid.
If the current time is within the range of any of
the time ranges specified for a user, the user is
allowed to access the system.
Do not use as a time range to prevent user
access. For example, cannot be used to disallow
access on Fridays. Instead, should be used. See
the section.
Default value: Can login any day of the week.
This attribute determines whether or not the length of a pass‐
word
can exceed 8 characters.
This attribute is valid only when the LongPass‐
word11i3 product is installed and the password
hash algorithm is different from the traditional
DES-based hash algorithm, see CRYPT_DEFAULT.
Passwords are limited to 8 characters.
Passwords can have more than 8 characters.
Default value:
This attribute controls the minimum length of new passwords.
On trusted systems it applies to all users. On
standard systems it applies to non-root local
users and to NIS users. On systems in standard
or shadow mode, it applies to root if The system-
wide default defined here may be overridden by
defining per-user values in (described in
userdb(4)).
New passwords must contain at least N characters.
For standard systems, N can be any value from 3
to 8. For trusted systems, N can be any value
from 6 to 80.
Default value:
This attribute controls whether non-root login
can be disabled by the file. Note that this
attribute only applies to the applications that
use session management services provided by as
configured in or those services that indirectly
invoke such as the and commands. Other services
may or may not choose to enforce the file.
Ignore the file and do not exit if the file
exists.
Display the contents of the file and exit if the
file exists.
Default value:
This attribute applies to shadow mode only.
During a password change it determines if pass‐
word aging attributes max days, min days and warn
days (described in shadow(4)) are inherited from
the values when no password aging is specified in
the shadow file. This attribute is applicable to
local users.
The system-wide default value defined for this
attribute in may be overridden by defining a per-
user value in (described in Userdb(4)).
The password aging attributes defined in are
inheritable when a password is changed.
The default password aging values in are ignored.
Password aging attributes are read exclusively
from the file during a password change.
Default value:
This attribute controls the number of simultaneous logins
allowed per user. Note that this is only
enforced for non-root users and only applies to
the applications that use session management ser‐
vices provided by as configured in or those ser‐
vices that indirectly invoke such as the and com‐
mands. The system-wide default defined here may
be overridden by defining a per-user value in
(described in userdb(4)).
Any number of logins are allowed per user.
N number of logins are allowed per user.
Default value:
This attribute controls the password history depth.
A new password is checked against passwords
stored in the user's password history. This pre‐
vents the user from re-using a recently used
password.
This attribute applies to local, non-root users.
On a system in standard or shadow mode, it also
applies to root if
For a trusted system, the maximum password his‐
tory depth is 10 and the minimum is 1.
For a standard system, the maximum password his‐
tory depth is 24 and the minimum is 1. The sys‐
tem-wide default defined here may be overridden
by defining a per-user value in (described in
userdb(4)).
A new password is checked against the N most
recently used passwords, including the current
password. For example, a password history depth
of 2 prevents a user from alternating between two
passwords.
Default value: Cannot re-use the current pass‐
word.
Attributes of this form are used to require new passwords to
have
a minimum number of characters of particular
types (upper case, lower case, digits or special
characters). This can be helpful in enforcing
site security policies about selecting passwords
that are not easy to guess. This attribute
applies to local, non-root users. On a system in
standard or shadow mode, it also applies to root
if The system-wide default defined here may be
overridden by defining a per-user value in
(described in userdb(4)).
Specifies that a minimum of N upper-case charac‐
ters are required in a password when changed.
Specifies that a minimum of N lower-case charac‐
ters are required in a password when changed.
Specifies that a minimum of N digit characters
are required in a password when changed.
Specifies that a minimum of N special characters
are required in a password when changed.
Default value: The default for each of these
attributes is zero.
This attribute controls the default maximum number of
days that passwords are valid. This value, if
specified, is used by the authentication subsys‐
tem during the password change process in the
case where aging restrictions do not already
exist for the given user. The value takes effect
after the password change. This attribute
applies only to local users and does not apply to
trusted systems. The option can be used to over‐
ride this value for a specific user.
A new password is valid for up to N days, after
which the password must be changed. N can be an
integer from -1 to 441.
Default value: password aging is turned off.
This attribute controls the default minimum number of
days before a password can be changed. This
value is used by the authentication subsystem
during the password change process in the case
where aging restrictions do not already exist for
the user. The value is stored persistently and
takes effect after the password change. This
attribute applies only to local users and does
not apply to trusted systems. The option can be
used to override this value for a specific user.
A new password cannot be changed until at least N
days since it was last changed. N can be an
integer from 0 to 441.
Default value:
This attribute imposes restrictions when root is changing
passwords. These restrictions already apply to
normal users.
User root is not subject to restrictions when
changing passwords.
When user root changes a password, restrictions
are imposed as follows.
The next two restrictions apply to root only when
changing root's own password. They do not apply
when root is changing the password of a normal
user.
· Prompt and require root to input the old pass‐
word.
· Enforce minimal difference between old and new
password.
All of the remaining restrictions apply to root
changing any password, either root's own password
or the password for a different user.
· Enforce
· Enforce configurable minimal password length,
· Enforce configurable password quality as
defined by the attributes
· Enforce the hardwired minimal password quality
(at least 2 alpha and 1 non-alpha characters).
· Enforce
The attribute is only valid if the patch
PHCO_40838 or later is installed.
Default value:
This attribute controls the default number of days
before password expiration that a user is to be
warned that the password must be changed. This
value, if specified, is used by the authentica‐
tion subsystem during the password change process
in the case where aging restrictions do not
already exist for the given user. The value
takes effect after the password change. This
attribute applies only to local users on shadow
password systems. The option can be used to
override this value for a specific user.
Users are warned N days before their password
expires. N can be an integer from 0 to 441.
Default value: (no warning)
This attribute defines a new default
environment value to be set when to a non-supe‐
ruser account is done. Refer to su(1).
The environment variable is set to new_PATH when
the command is invoked. The path value is not
validated. This attribute does not apply to a
superuser account, and is applicable only when
the option is not used with the command.
Default value: If this attribute is not defined
or if it is commented out, is not changed.
This attribute forces
to propagate certain 'unsafe' environment vari‐
ables to its child process despite the security
risk of doing so. Refer to su(1).
By default, does not export the environment vari‐
ables or because they could be maliciously mis‐
used. Any combination of these can be specified
in this entry, with a comma separating the vari‐
ables. Currently, no other environment variables
may be specified in this way. This may change in
future HP-UX releases as security needs require.
Default value: If this attribute is not defined
or if it is commented out, these environment
variables will not be propagated by the command.
This attribute defines the root group name for the
command. Refer to su(1).
The root group name is set to the specified sym‐
bolic group name. The command enforces the
restriction that a non-superuser must be a member
of the specified root group to be allowed to to
root. This does not alter password checking.
Default value: If this attribute is not defined
or if it is commented out, there is no default
value. In this case, a non superuser is allowed
to to root without being bound by root group
restrictions.
This attribute controls
of all sessions initiated via This attribute is
supported for users in all name server switch
repositories, such as local, NIS and LDAP. This
attribute is enforced in the service module, and
requires that the module be configured in See
pam_hpsec(5). It accepts values from 0 to 0777
as an unsigned octal integer (must have a leading
zero to denote octal). The system-wide default
defined here may be overridden by defining a per-
user value in (described in userdb(4)).
The current is set or restricted further with the
value of default_umask. For trusted systems, the
is also restricted so as not to exceed defined in
Default value:
Notes
Use the functions defined in secdef(3) to read the values of the
attributes defined in this file.
The usage, possible values and default value of each of the attributes
described in this manpage is defined in the file.
The behavior of some attributes is affected by the time zone. For
these attributes the time zone is determined by the first line of the
form in the file If the time zone is not specified in this file, it is
obtained from the file as described in tzset(3C).
EXAMPLES
The following are examples of usage.
The user can login to the system all day on weekends and
after 6:00 pm on week days.
The user can login to the system on Monday, Wednesday and
Friday from 10:00 am to 2:00 pm and on Tuesday, Thursday, and
Sunday from 8:00 am to 5:00 pm.
The user can login to the system every day from 4:00 am until
1:00 pm.
No day or time restrictions. This is the default.
The user can login to the system any time between Monday
after 6:00 pm until Tuesday at 3:00 am.
The user can only login to the system on Mondays between
midnight and 3:00 am or after 6:00 pm on Mondays.
WARNINGS
HP-UX 11i Version 3 is the last release to support trusted systems
functionality.
AUTHOR
The file was developed by HP.
FILESsecurity defaults configuration file
security attributes description file
user database
SEE ALSOlogin(1), passwd(1), su(1), init(1M), userstat(1M), secdef(3),
pam.conf(4), userdb(4), pam_hpsec(5), pam_unix(5).
security(4)
