I would like to thank all of the people that responded to my
questions on C2:
singhh_at_vrinet.com
visti_at_som.fi
c753330_at_nlzcl1.decnet.philips.nl
MC.Vialatte_at_custsv.univ-bpclermont.fr
Matthew.Cheek_at_mci.com
My original post was:
Hello!
I'm running 3.2d on an Alphaserver 1000.
I'd like to get a little more information about setting up C2 security.
1) How does C2 "protect" /etc/passwd? Does it add an equivalent
/etc/shadow (as does Solaris)?
2) How do you control password aging "features" under C2 (time between
changes, etc)
3) Can you select what users fall under C2 guidelines, or must they all?
I'll summarize the replies, I know similar questions have been asked
before, but I could find no summaries.
Synopsis of the Answers:
1) It protects under /tcb/files/auth/{directories in alphabetical
order}/{users}
No. It uses a TCB directory tree: /tcb/files/auth/<a-z>/<username> You
can have a look at the man page for prpasswd and authcap (is on my 3.2 G
system), and the related information mentioned in those pages.
2) It's controlled by utility called /usr/tcb/bin/XIsso. Pick the user
default to change the settings for all or a particular username.
3) It's your system security, so, you can't really pick users. It's either
BASE OR ENHANCED security.
Other important information:
If you turn on C2, all users are affected, but you can modify
the expiration times and other parameters per user.
When you turn C2 on, the original encrypted passwd is left in
/etc/passwd and some non-standard programs may still be using it, if
they are compiled before transition into C2. We have wu ftpd and pop,
which don't know anything about c2 passwd:s, it requires the old passwd
still in /etc/passwd.
The book to read is "Security" from Digital, order number aa-q0r2c-te
(this is for Dunix 3.2C or higher).
There are some gotchas if you implement it, one of them is that you should
take great care of the settings of root (in /tcb/files/r/root) to prevent
a situation where root is expired and you cannot login. Also users with
passwords longer than 8 characters will not be able to login unless they
use *only* the first 8 characters.
David
--
David K. Magee My Cray is not faster than yours.
magee_at_umsmed.edu #include<std.disclaimer>
Received on Mon Jul 21 1997 - 18:09:24 NZST