Cover V05, I11
Article
Listing 1
Sidebar 1
Sidebar 2

nov96.tar


Sidebar: System Default Database File Format

The global configuration file for Enhanced Security on DU is /etc/auth/system/default and defines values for users at a system-wide level. An administrator planning to implement Enhanced Security must be familiar with the values specified in this file in order to configure Enhanced Security appropriately for his or her system. The following is a default file I will use as an example of a relaxed security configuration. To avoid frustration in the initial implementation, I recommend that Enhanced Security be enabled with most options either loose or disabled altogether. Once you are more familiar with Enhanced Security, tighten down the option that makes the most sense for your environment.

default:\
:d_name=default:\
:d_secclass=c2:\
:d_boot_authenticate@:\
:d_pw_expire_warning#864000:\
:d_pw_site_callout=/tcb/bin/pwpolicy:\
:u_minchg#0:u_minlen#8:u_maxlen#12:u_exp#0:\
:u_life#0:u_pickpw:u_genpwd@:u_restrict:\
:u_pwdepth#0:u_nullpw@:u_genchars@:u_genletters@:\
:u_maxtries#0:u_lock@:\
:t_logdelay#2:t_maxtries#10:\
:chkent:

The default file consists of options in a single, continuous entry that can be broken into multiple lines with a backslash (\). Each option is preceded and followed by a colon (:). If the entry is broken into multiple lines, a colon and a backslash are required at the end of each line, and each continuation line must begin with a colon and continuation lines are indented by a tab. Options can have numeric, Boolean, or string values.

Numeric options have the format "name#num." Boolean options have the format "name" or "name@," in which the first form indicates the option is True, and the second form indicates the option is False. String options have the format "name=string," in which string is zero or more characters.

At the end of the entry is the chkent field, which indicates that the entry is complete. This field is used as an integrity check on the entry by the programs that read the file.

The example options have the following meanings:

default: This first option is simply the header that specifies the name of file for this security database and is required.

d_name: This option specifies the name of this security database and should not be changed from the string "default."

d_secclass: This is an informational identifier of the security classes supported by the system and should be be set to "c2."

d_boot_authenticate: This option is not currently used by Enhanced Security.

d_pw_expire_warning: This option, in seconds, is used to determine whether a password expiration warning is given at login time. If the password expiration for a user falls within this time interval, a warning is given.

d_pw_site_callout: This is the fullpath name of the script to call for site-specific security policy conformance decisions. The /tcb/bin/pwpolicy by default does nothing but exit with a positive return code. See the "DEC OSF/1 Security" manual for more information on this option.

u_minchg#0: This is the minimum time between password changes in seconds. If the value assigned is zero (0), there is no minimum time enforced.

u_minlen#8: This is the minimum password length.

u_maxlen#12: This is the maximum password length.

u_exp#0: This is the number of seconds after a successful password change that the account password will expire. If the values specified is zero (0), passwords will not expire.

u_life#0: This is the lifetime of a password in seconds. If this time interval is reached, the account is locked and can only be unlocked by the superuser. Specifying zero (0) indicates an unlimited password lifetime.

u_pickpw: This Boolean option specifies whether a user can pick his own password (True) or will have a password generated by the system (False).

u_genpwd@: This Boolean option is the reverse of u_pickpw; that is, a True value indicates that the system will generate passwords for a user, and a False value specifies that a user can select his own password.

u_restrict: This Boolean option specifies whether password triviality checks are performed on a user-selected password. A u_restrict entry indicates that triviality checks are preformed, including verification that the password is not a login or group name, a palindrome, or a dictionary word; a u_restrict@ entry indicates that these checks are not performed.

u_pwdepth#0: This is the number of old encrypted passwords to save to prevent reuse. A value of zero (0) indicates that old passwords can be reused.

u_nullpw@: This Boolean option controls the ability of a user to choose a null password. A u_nullpw entry indicates a null password can be chosen; a u_nullpw@ indicates that it cannot.

u_genchars@: This Boolean option controls the ability of a user to generate random characters for a password. A u_genchars entry indicates that the user can generate passwords made up of random characters, and a u_genchars@ entry indicates that she cannot.

u_genletters@: This Boolean option controls the ability of a user to generate random letters for a password. A u_genletters entry indicates that the user can generate passwords made up of random letters, and a u_genletters@ entry indicates that he cannot.

u_maxtries#0: This is the maximum number of consecutive unsuccessful login attempts to an account before the account is locked. Setting this option to zero (0) disables the locking of accounts due to unsuccessful login attempts.

u_lock@: This Boolean option is used to administratively lock an account. A u_lock entry indicates that the account is locked; a u_lock@ entry indicates that it is not. The presence of the u_lock@ entry in the Default Database File is to globally indicate that all accounts are unlocked unless locked in the individual Protected Password Database Files.

t_logdelay#2: This is the number of seconds between unsuccessful login attempts. This field is designed to slow the rate at which login attempts on a terminal device can occur.

t_maxtries#10: This field specifies the maximum number of consecutive unsuccessful login attempts permitted using the terminal before the terminal is locked. Once the terminal is locked, it must be unlocked by an authorized administrator. For additional information, see the manpage for default(4).