UNIX Password Selection & Expiration

Linux:

/etc/pam.d/passwd#

# passwd service entry that does strength checking of

# a proposed password before updating it.

#

passwd password requisite \

/usr/lib/security/pam_cracklib.so retry=3

passwd password required \

/usr/lib/security/pam_pwdb.so use_authtok

#

/etc/default/useradd

# useradd defaults file

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

/etc/login.defs

# Password aging controls:

#

# PASS_MAX_DAYS Maximum number of days a password may be used.

# PASS_MIN_DAYS Minimum number of days allowed between password changes.

# PASS_MIN_LEN Minimum acceptable password length.

# PASS_WARN_AGE Number of days warning given before a password expires.

#

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 5

PASS_WARN_AGE 7

 

Solaris:

Passwords must be constructed to meet the following requirements (via the passwd command)

· Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Only the first eight characters are significant.

· Each password must contain at least two alphabetic characters and at least one numeric or special character. In this case, alphabetic” refers to all upper or lower case letters.

· Each password must differ from the user’s login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.

· New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.

/etc/default/passwd

#ident “@(#)passwd.dfl 1.3 92/07/14 SMI”

MAXWEEKS=

MINWEEKS=

PASSLENGTH=6

WARNWEEKS=

Using the passwd command the following parameters can be:

Min: minimum number of days required between password changes

Max: maximum number of days the password is valid

Warn: number of days relative to max before he password expires and the user wil be warned.

 

AIX:

/etc/security/user

minalpha Specifies the minimum number of alphabetic characters.

minother Specifies the minimum number of other characters.

minlen Specifies the minimum number of characters.

Note: This value is determined by either the minalpha value plus the

minother value or the minlen value, whichever is greater.

Mindiff Specifies the minimum number of characters in the new password that are

not in the old password.

Note: This restriction does not consider position. If the new password is

abcd and the old password is edcb, the number of different characters is 1.

maxrepeats Specifies the maximum number of times a single character can be used

in a password.

minage Specifies the minimum age at which a password can be changed. Passwords

must be kept for a minimum period. This value is measured in weeks.

maxage Specifies the maximum age of a password. A password must be changed after

a specified amount of time measured in weeks.

maxexpired Specifies the maximum number of weeks beyond the maxage value that a

password can be changed by the user.

histexpire Specifies the number of weeks that a user cannot reuse a password. (between 0 and 260 weeks).

Histsize Specifies the number of previous passwords that the user cannot reuse. (between 0 and 50).

dictionlist Specifies the list of dictionary files checked when a password is

changed. (Example dictionary: /usr/share/dict/words)

 

HP-UX

Passwords must be constructed to meet the following requirements:

• On an untrusted system, only the first eight characters of a password are significant.

• On an untrusted system, passwords of non-root users must have at least six characters. On a trusted system, passwords of all users must have at least six characters. This restriction on the password length can be increased to a value larger than six. Refer to the security(4) manual page for detailed information on configurable parameters that affect the behavior of this command. The parameter to select the minimum password length is MIN_PASSWORD_LENGTH

• Characters must be from the 7-bit US-ASCII character set; letters from the English alphabet.

• A password must contain at least two letters and at least one numeric or special character.

• A password must differ from the user’s login name and any reverse or circular shift of that login name. For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are treated as identical.

• A new password must differ from the old one by at least three characters.

/etc/default/security

MIN_PASSWORD_LENGTH=N New passwords must contain at least N characters.

PASSWORD_HISTORY_DEPTH=N A new password is checked against only the N most recently used passwords for a particular user.

Read Full Post »

Get Putty and Generate Your Keys

1. Download and install Putty:

http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.59-installer.exe

2. Run PUTTYGEN.EXE from the Putty directory.

3. You want to generate an SSH-2 RSA key of at least 2048 bit length so make sure that option is selected, (It should be by default), and you then change the Number of bits field to 2048.

4. Click Generate and move your mouse around the blank area as instructed on screen.

5. Create a comment for your key like “Rob’s UNIX SSH Key”. This is useful if you end up with more than a few keys in your collections.

6. Assign a passphrase to your key. Some considerations about this password:

1. It should be complex, random, and at least 8 characters in length.
2. Do NOT use a dictionary based word for this.
3. You should be able to type and remember it relatively easily.
4. You will likely type this a few times a day, but far less than when using a traditional password authentication method.

7. Click the “Save public key” button. Save your public key to your local drive and name it something like, “sun4ukey.pub”

8. Click the “Save private key” button. Save your public key to your local drive and name it something like, “sun4ukey.priv”.

9. Go to the menu, click on “Conversions”, “Export OpenSSH key”. Save this key to your local drive and name it something like, “id_rsa”.

10. In the Putty Key Generator window there is a text field that contains a line that starts with contents like: “ssh-rsa”. Copy this entire field of text to a file called “authorized_keys2”. Example window seen below:

An example of what the Putty Key Generator window will look like during this process:

.

 

Set up Putty Key Agent (Pageant) and SERVER to Manage Keys

1. In your Putty directory there should be a binary called “PAGEANT.EXE”. I would suggest adding this to your Windows startup items because you will need to have it open in order to allow Putty to act as an agent for your SSH Keys. Since we use SSH daily, adding this to the Windows startup process saves you an extra step.

2. Run the binary PAGEANT.EXE and it should appear in your system tray.

Right click the icon and choose the option “Add Key”.

This will open a file browser window; there you will want to pick your private key file we exported earlier (robskey.priv). You will be prompted for the password you originally assigned to your key file, type it here and hit return.

3. Open Putty and SSH into your account on meu6awcap01.

4. In your home directory, make sure you have the directory “.ssh”.

5. Change directories into .ssh and vi a file called authorized_keys2. In this file paste the contents of the authorized keys file you saved earlier (authorized_keys2).

6. Now vi a file called id_rsa and paste the contents of your Private key file here (robskey.priv).

7. Make sure the file permissions for both files are 600 and that is owned by your user.

8. In your Putty session for meu6awcap01, browse to the SSH tab of the options, select Auth and browse to your Private Key file (robskey.priv). Then select the Connection and then Data option and set your “Auto-login username” to your username on meu6awcap01. Go back to the session option at the top of the window and resave your meu6awcap01 session settings.

At this point you should be able to click Open on that session and it will log you directly into meu6awcap01 as yourself, without asking you for any username or password information.

Assuming all is working correctly, you can follow the process for putting your OpenSSH key data in /home/yourusname/.ssh/authorized_keys2 on every UNIX server. You should then be able to SSH from your local computer the same way as you can SSH into meu6awcap01 with this method.

You can also setup meu6awcap01 as your jumping point for accessing all systems, the OpenSSH suite has a binary similar to the Putty Agent that you can setup on meu6awcap01 to hold your password for you, for the current session. Once you do this, you can SSH from meu6awcap01 to any host we manage without needing to repeatedly type your password.

You can do this in Linux and meu6awcap01 by adding the following line to .bashrc in your home directory:

eval `ssh-agent`; ssh-add

Also add to a file in your home directory called “.bash_logout” the line:

eval `ssh-agent -k`

This will make sure your ssh-agent session for that connection will be ended when you log out. If you don’t do this, we will end up with an abandoned session for every time to login to the server, until we next reboot, or manually kill each session.

Now every time you connect to meu6awcap01 it will ask you for the password to your key much like PAGEANT.EXE does. Once you enter it, you will not need to type the password again for the duration of your session.

Keep in mind; to set up a UNIX server to manage your key for you like this will require that the PRIVATE Key file is left on the server you are setting up. I would suggest that you do NOT do this on every host, or even more than a few hosts.

The Private Key file should be heavily guarded like the keys you hold to your front door or home. While it is password protected, it is not entirely impossible to break. One is has been broken there are very dire consequences. I would suggest keeping this key on your laptop and on meu6awcap01 only.

Your home directory on meu6awcap01 is mirrored to meu6awcap02, so in the event the first server goes down, the other is there to use as well.

Password authentication will also be left active for our users on these two systems. This means if you are in a situation where you have no access to your keys to login, you can still use a password to gain access to your systems. This situation could come up if you were at an unfamiliar desktop or at home connected via Citrix for example. You will still need to change your password on meu6awcap01 and meu6awcap02 every 90 days because of this, but this reduces the amount of passwords you change every 90 days, UNIX wise, to only two.

Read Full Post »

Installation of Veritas Volume Manager on Sun Solaris 8

Install SUNWsan and Required patches from Sun.
SFS_base_packages.S8

Installed the following patches in order listed
Loc: /jumpstart/Software_Installs/Veritas
111412-13
111095-15
111413-12

Reboot

Install Veritas VM following the vxvm_ig.pdf

Install License Volume Manager

Run vxinstall
Select enclosure based naming
Change the “OTHER_DISKS” enclosure naming to “INTERNAL_DISKS”
Select quick installation
Encapsulate only the root drive; pick defaults (rootdg)
You do not need to initialize the other internal drives at this point in the installation. We will do this later.
Reboot

Install Patch Upgrades for Foundation Suite 3.5 Maintanenance Pack 2
Patches
Loc: /jumpstart/Software_Installs/Veritas/ Maintanenance_Pack2
113206-10
113210-03

List encapsulated disk.
# vxdisk -g rootdg list
DEVICE TYPE DISK GROUP STATUS
c1t1d0s2 sliced rootdisk rootdg online

Reconfigure the default VxVM

Initialize and add the disk for rootmirror
# /usr/lib/vxvm/bin/vxdisksetup -i c1t0d0
# vxdg -g rootdg adddisk rootmirror=c1t0d0
# vxdisk -g rootdg list
DEVICE TYPE DISK GROUP STATUS
c1t0d0s2 sliced rootmirror rootdg online
c1t1d0s2 sliced rootdisk rootdg online

Attach the mirrors

# /etc/vx/bin/vxrootmir rootmirror
# vxassist –g rootdg mirror swapvol rootmirror
# vxassist -g rootdg mirror var rootmirror
# vxassist -g rootdg mirror opt rootmirror
# vxassist -g rootdg mirror home rootmirror

Dissociate rootdisk plexes and remove the “special” subdisks.

# vxplex –g rootdg dis rootvol-01 swapvol-01 var-01 opt-01 home-01
# vxedit -g rootdg -fr rm rootvol-01 swapvol-01 var-01 opt-01 home-01

Remove rootdisk from rootdg

# vxdg –g rootdg rmdisk rootdisk

Initilizle rootdisk and add back to rootdg

# /etc/vx/bin/vxdisksetup –i cXtXdX
# vxdg –g rootdg adddisk rootdisk=cXtXdX

Re-Attach mirrors in correct order

# /etc/vx/bin/vxrootmir rootdisk
# vxassist –g rootdg mirror swapvol rootdisk
# vxassist -g rootdg mirror var rootdisk
# vxassist -g rootdg mirror opt rootdisk
# vxassist -g rootdg mirror home rootdisk

Create the underlying partitions on the primary boot disk

# /usr/lib/vxvm/bin/vxmksdpart -g rootdg rootdisk-02 1 0×03 0×01
# /usr/lib/vxvm/bin/vxmksdpart -g rootdg rootmirror-02 1 0×03 0×01
# /usr/sbin/dumpadm -d /dev/dsk/c1t1d0s1 #rootdisk
Dump content: kernel pages
Dump device: /dev/dsk/c1t1d0s1 (dedicated)
Savecore directory: /var/crash/meu6awentdb02
Savecore enabled: yes

OpenBoot Prom settings
Save current OBP nvramrc settings

# /usr/sbin/eeprom nvramrc >/var/adm/doc/`date \ +%Y%m%d`.eeprom.nvramrc.out

Make copy and edit boot aliases from saved nvramrc

# ls –l /dev/dsk/c[12]t[0189]d0s0
# cp /var/adm/doc/`date +%Y%m%d`.eeprom.nvramrc.out /var/tmp/nv
# vi /tmp/var/nv
# cat /var/tmp/nv
devalias rootmirror /pci@1f,0/pci@1/scsi@8/disk@0,0:a
devalias rootdisk /pci@1f,0/pci@1/scsi@8/disk@1,0:a

Define new boot devices

# /usr/sbin/eeprom “boot-device=rootdisk rootmirror”
# /usr/sbin/eeprom “use-nvramrc?=true”
# /usr/sbin/eeprom “nvramrc=`cat /var/tmp/nv`”

Read Full Post »

Sun Fire[TM] V440 Server: How to Replace a Failed Internal Disk (non Hardware-RAID)

Description:
This document describes the process of replacing a failed internal
disk on the Sun Fire[TM] V440 server when the disk is not mirrored using the
on-board hardware RAID controller.

Document Body:
1. Verify which disk drive corresponds with which logical device name and
physical device name. Listed below is the table for the v440 disk devices:

Disk Slot Number Logical Device Name[1] Physical Device Name
—————————————————————————–
Slot 0 c1t0d0 /devices/pci@1f,700000/scsi@2/sd@0,0

Slot 1 c1t1d0 /devices/pci@1f,700000/scsi@2/sd@1,0

Slot 2 c1t2d0 /devices/pci@1f,700000/scsi@2/sd@2,0

Slot 3 c1t3d0 /devices/pci@1f,700000/scsi@2/sd@3,0

2. Verify that a hardware disk mirror does not exist

#raidctl
No RAID volumes found.

****NOTE**** If Raid volumes exist see infodoc 73040

3. View status of SCSI devices
#cfgadm -al
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c0::dsk/c0t0d0 CD-ROM connected configured unknown
c1 scsi-bus connected configured unknown
c1::dsk/c1t0d0 disk connected configured unknown
c1::dsk/c1t1d0 disk connected configured unknown
c1::dsk/c1t2d0 disk connected configured unknown
c1::dsk/c1t3d0 disk connected configured unknown
c2 scsi-bus connected configured unknown
c2::dsk/c2t2d0 disk connected configured unknown
usb0/1 unknown empty unconfigured ok
usb0/2 unknown empty unconfigured ok
usb1/1 unknown empty unconfigured ok
usb1/2 unknown empty unconfigured ok

4. Remove the disk drive from the device tree

#cfgadm -c unconfigure <Ap_Id>
example -> #cfgadm -c unconfigure c1::dsk/c1t3d0
This example removes c1t3d0 from the device tree. The blue OK-to-Remve LED for
the disk being removed will become lit.

5. Verify that the device has been removed from the device tree

#cfgadm -al
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c0::dsk/c0t0d0 CD-ROM connected configured unknown
c1 scsi-bus connected configured unknown
c1::dsk/c1t0d0 disk connected configured unknown
c1::dsk/c1t1d0 disk connected configured unknown
c1::dsk/c1t2d0 disk connected configured unknown
c1::dsk/c1t3d0 unavailable connected unconfigured unknown
c2 scsi-bus connected configured unknown
c2::dsk/c2t2d0 disk connected configured unknown
usb0/1 unknown empty unconfigured ok
usb0/2 unknown empty unconfigured ok
usb1/1 unknown empty unconfigured ok
usb1/2 unknown empty unconfigured ok

*NOTE that c1t3d0 is now unavailable and unconfigured. The disks blue
OK-to-Remve LED is lit

6. Remove the disk drive

7. Install a new disk drive

8. Configure the new disk drive

#cfgadm -c <Ap_Id>
example->#cfgadm -c configure c1::dsk/c1t3d0

*NOTE that the green activity LED flashes as the new disk at c1t3d0 is added to
the device tree

9. Verify that the new disk drive is in the device tree

#cfgadm -al
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c0::dsk/c0t0d0 CD-ROM connected configured unknown
c1 scsi-bus connected configured unknown
c1::dsk/c1t0d0 disk connected configured unknown
c1::dsk/c1t1d0 disk connected configured unknown
c1::dsk/c1t2d0 disk connected configured unknown
c1::dsk/c1t3d0 disk connected configured unknown
c2 scsi-bus connected configured unknown
c2::dsk/c2t2d0 disk connected configured unknown
usb0/1 unknown empty unconfigured ok
usb0/2 unknown empty unconfigured ok
usb1/1 unknown empty unconfigured ok
usb1/2 unknown empty unconfigured ok

Read Full Post »

Linux-to-Solaris-to-Linux

Command Differences
Linux             Solaris
ps                  /usr/bin/ps requires command line argument
                     changes
                    /usr/ucb/ps has compatible command line argu-
                    ments but the output maybe different.
tcpdump       use snoop
awk              Use one of nawk, /usr/xpg4/bin/awk or gawk.
tar                Use /usr jopt/sfw/bin/gtar

Configuration Files
Linux                        Solaris
/etc/fstab                /etc/vfstab
/etc/exports            /etc/dfs/dfstab
/etc/ntp.conf          /etc/inet/ntp.conf
/etc/aliases              /etc/mail/aliases
/etc/inetd.conf         inetadm (solaris 10)
/etc/xinetd.conf       inetadm (solaris 10)
                                 Solaris 9 – convert to /etc/inetd.conf
/etc/printcap           /etc/printers.conf

Kernel Drivers

/etc/modules*         /etc/system
                               /kernel/drv/*.conf

Kernel Configuration
Linux             Solaris
sysctl             /etc/system

Common command directories
Linux             Solaris
/bin              /usr/bin
/sbin             /usr/sbin

Extra Solaris command directories

/usr/openwin/bin     /usr/dt/bin     /usr/sfw/bin
/opt/sfw/bin         /usr/xpg4/bin    /usr/ccs/bin
/usr/ucb

Solaris commands in /usr/ucb

basename     df     du     echo     expr     fastboot
fasthalt     file      from      groups install ld
lint         ln      lpc      lpq     lpr    lprm
lptest         ls      mkstr      printenv ps     rusage   
sed         shutdown stty      sum       test     touch
tr         tset     users      vipw     whereis whoami

Linux and Solaris networking configuration files
Linux                                                                          Solaris
/etc/ntp.conf                                                           /etc/inet/ntp.conf
/etc/inetd.conf                                                        /etc/inet/inetd.conf
/etc/sysconfig/network-scripts/ifcfg-{interface}           /etc/inet/netmasks
/etc/networks                                                          /etc/inet/networks

Linux and Solaris file system con guration files
Linux                           Solaris
/etc/fstab                   /etc/vfstab
/etc/exports               /etc/dfs/dfstab (format is di erent)
/etc/auto.master        /etc/auto master
/etc/auto.home          /etc/auto home

Linux and Solaris mail configuration files
Linux                         Solaris
/etc/aliases             /etc/mail/aliases
/etc/mail.rc             /etc/mail/Mail.rc
                                /etc/mail/mailx.rc

Linux and Solaris log files
Linux            Solaris
/var/log        /var/adm

Read Full Post »