HP-UX Shadow Passwords

Increasing computational power available to password crackers has made the non-hidden passwords in the UNIX /etc/passwd file vulnerable to decryption. Shadow Passwords enhance system security by hiding user encrypted passwords in a shadow password file. Encrypted passwords previously stored in the publicly readable /etc/passwd file can be optionally moved to the /etc/shadow file, which is accessible only by a privileged user.

features and benefits

The HP-UX Shadow Passwords product provides the following features and benefits:

• security - Shadow passwords are important for system security. Since shadow passwords are not accessible to unprivileged users, they are less vulnerable to decryption.


• configurability - After the Shadow Password product has been installed, the pwconv(1m) command can be run to enable shadow passwords, and the pwunconv(1m) command can be run to disable shadow passwords.


• compatibility - If shadow passwords are not enabled, there is no impact to application programs. Otherwise, applications could be affected only if they directly access the password field of /etc/passwd, with the assumption that password and aging information reside there. That field will now contain an 'x', indicating that the information is in /etc/shadow. Applications are not affected if they use the preferred pam(3) interfaces to authenticate.


• standards conformance - The HP-UX Shadow Password product is based on the de-facto standard provided in other UNIX flavors, including Sun Solaris and Linux. Applications that run on those platforms can be ported with little or no change.

requirements and restrictions

This product requires HP-UX 11.11.

Shadow passwords are supported with "files" and "ldap", but are not supported with other nameserver switch backends, such as NIS or NIS+. To configure your system to use only files and/or ldap, ensure that the "passwd:" line in /etc/nsswitch.conf contains only "files" and/or "ldap". If /etc/nsswitch.conf does not exist, or if the "passwd:" line is not present, the default is "files" only.

This product may be used with the LDAP-UX Integration product version B.03.00 or later. The most recent version is available on the web at http://software.hp.com .

The system administration manager, sam(1M), was enhanced to support password aging in shadow mode. Install patch PHCO_31314 to use password aging in sam(1M).

This product may be used with the Process Resource Manager (PRM), prm(1), version C.02.03.03 or later. PRM version C.02.02 requires the installation of patch PHSS_30985 for use with shadow passwords.

This product may be used with Ignite-UX version B.4.1 or later.

This product may be used with ServiceGuard. If the intention is to use the HP Cluster Object Manager for a connection with a system that has shadow passwords installed, then you must upgrade the Cluster Object Manager to at least version B.02.02.00, which is available with MC/ServiceGuard A.11.15.00. HP Cluster Object Manager is a proxy for ServiceGuard Manager to manage multiple ServiceGuard clusters.

The web interface to Partition Manager and Service Control Manager use ObAM, which currently does not support shadow passwords.

The PC-NFS authentication and print request server, see pcnfsd(1M), does not support shadow passwords.

Some third party applications may assume that passwords reside in /etc/passwd. These applications would not function correctly with shadow passwords.

programming APIs

The means for interfacing with the /etc/shadow file is through the use of the industry standard getspent(3c) calls. These calls function very similarly to the getpwent(3c) interfaces.

documentation

The manpages installed with this product provide more information on shadow passwords. Important manpages include: pwconv(1m), pwunconv(1m), pwck(1m), passwd(1), getspent(3c), putspent(3c), passwd(4), shadow(4), security(4).

revision history

Version B.11.11.03 includes updates to patches delivered with the ShadowPW product. This version also fixes a defect in the pwunconv(1M) command.

Version B.11.11.02 fixes a problem with the ownership of the manpages in the ShadowPW product.

Version B.11.11.01 fixes a problem with satisfying the corequisites of the ShadowPW.SHADOW fileset.

Version B.01.00.00 is the original revision of the bundle.

Date: 2005/05/13