Increasing computational power available to password crackers has
made the non-hidden passwords in the UNIX /etc/passwd
file vulnerable to decryption.
Shadow Passwords enhance system security by hiding user encrypted
passwords in a shadow password file.
Encrypted passwords previously stored in the publicly readable
/etc/passwd file can be optionally moved to the
/etc/shadow file,
which is accessible only by a privileged user.
features and benefits
The HP-UX Shadow Passwords product provides the following features
and benefits:
-
security - Shadow passwords are important for system security.
Since shadow passwords are not accessible to unprivileged users,
they are less vulnerable to decryption.
-
configurability - After the Shadow Password product has been
installed, the pwconv(1m) command can be run to enable
shadow passwords, and the pwunconv(1m) command can be run
to disable shadow passwords.
-
compatibility - If shadow passwords are not enabled,
there is no impact to application programs.
Otherwise, applications could be affected only if they
directly access the password field of /etc/passwd, with the
assumption that password and aging information reside there.
That field will now contain an 'x', indicating that the
information is in /etc/shadow.
Applications are not affected if they use the preferred pam(3)
interfaces to authenticate.
-
standards conformance - The HP-UX Shadow Password product is
based on the de-facto standard provided in other UNIX flavors,
including Sun Solaris and Linux.
Applications that run on those platforms can be ported with
little or no change.
requirements and restrictions
This product requires HP-UX 11.11.
Shadow passwords are supported with "files" and "ldap",
but are not supported with other nameserver switch backends,
such as NIS or NIS+.
To configure your system to use only files and/or ldap,
ensure that the "passwd:" line in /etc/nsswitch.conf
contains only "files" and/or "ldap".
If /etc/nsswitch.conf does not exist, or if the "passwd:"
line is not present, the default is "files" only.
This product may be used with the LDAP-UX
Integration product version B.03.00 or later.
The most recent version is available on the web
at http://software.hp.com .
The system administration manager, sam(1M), was enhanced
to support password aging in shadow mode. Install patch
PHCO_31314 to use password aging in sam(1M).
This product may be used with the Process Resource Manager (PRM),
prm(1), version C.02.03.03 or later. PRM version C.02.02
requires the installation of patch PHSS_30985 for use with
shadow passwords.
This product may be used with Ignite-UX
version B.4.1 or later.
This product may be used with ServiceGuard.
If the intention is to use the HP Cluster Object Manager
for a connection with a system that has shadow passwords
installed, then you must upgrade the Cluster Object Manager
to at least version B.02.02.00, which is available with
MC/ServiceGuard A.11.15.00.
HP Cluster Object Manager is a proxy for ServiceGuard
Manager to manage multiple ServiceGuard clusters.
The web interface to Partition Manager and Service Control
Manager use ObAM, which currently does not support shadow
passwords.
The PC-NFS authentication and print request server, see
pcnfsd(1M), does not support shadow passwords.
Some third party applications may assume that passwords
reside in /etc/passwd. These applications would not
function correctly with shadow passwords.
programming APIs
The means for interfacing with the /etc/shadow file is
through the use of the industry standard getspent(3c) calls.
These calls function very similarly to the getpwent(3c)
interfaces.
documentation
The manpages installed with this product provide more
information on shadow passwords.
Important manpages include: pwconv(1m),
pwunconv(1m), pwck(1m), passwd(1),
getspent(3c), putspent(3c), passwd(4),
shadow(4), security(4).
revision history
Version B.11.11.03 includes updates to patches delivered
with the ShadowPW product. This version also fixes a
defect in the pwunconv(1M) command.
Version B.11.11.02 fixes a problem with the ownership of
the manpages in the ShadowPW product.
Version B.11.11.01 fixes a problem with satisfying the
corequisites of the ShadowPW.SHADOW fileset.
Version B.01.00.00 is the original revision of the bundle.
Date: 2005/05/13
|