Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!mp.cs.niu.edu!bennett
From: bennett@mp.cs.niu.edu (Scott Bennett)
Newsgroups: comp.unix.wizards
Subject: Re: new password idea
Message-ID: <1991Apr24.004539.3881@mp.cs.niu.edu>
Date: 24 Apr 91 00:45:39 GMT
References: <26616@adm.brl.mil> <1991Apr23.182654.22452@odin.corp.sgi.com>
Organization: Northern Illinois University
Lines: 51

In article <1991Apr23.182654.22452@odin.corp.sgi.com> jeffs@soul.esd.sgi.com (Jeff Smith) writes:
> [text deleted  --SJB]
>
>It's best to use good passwords.  Some newer systems now split up the
>password file information so you can't read the encripted password
>without root authority.

     On some of our non-UNIX systems we use a security package that has
another useful feature:  after a certain number of bad passwords are
given consecutively for a logonid, the logonid is suspended.  No
further access is allowed for that logonid until someone with authority
to reactivate it has become involved.  While this in itself offers
an avenue for abuse, it pretty much closes the door on unauthorized
use/access. Most users are further required to change their passwords
at least once every {insert desired time period}.  Users can set up or
modify any access rules regarding their own files.  If no explicit rule
is currently defined when the system checks for one, the default is that
the user has full access (i.e. read, write, allocate, execute) and
nobody else gets anything.  The entire data base used by the security
system is accessible, but only by the systems programmers (i.e. us:-)
or, conceivably, the computer operators with great bother, and the
passwords are all encrypted anyway.  In this particular case, our
operators present no danger.  We Know *and* We Watch anyway. :-)  The
security system also logs just about *everything*, e.g. file opens/closes,
job start/end, disk space allocation/deallocation, access violations
(including the logonid suspensions just described), logins/logouts, 
and, of course, anyone monkeying with the security system, so if we
have to, we can follow an audit trail.
     While some versions of UNIX appear to support password expiration,
and a few support limited versions of access control lists, UNIX in
general doesn't.  Most of these functions are missing from most versions
of UNIX.  Does anyone have experience with any of the third-party
security packages for UNIX?  Can you tell us what they offer that is
missing in UNIX?
>
>jeffs


                                  Scott Bennett, Comm. ASMELG, CFIAG
                                  Systems Programming
                                  Northern Illinois University
                                  DeKalb, Illinois 60115
**********************************************************************
* Internet:       bennett@cs.niu.edu                                 *
* BITNET:         A01SJB1@NIU                                        *
*--------------------------------------------------------------------*
*  "Spent a little time on the mountain, Spent a little time on the  *
*   Hill, The things that went down you don't understand, But I      *
*   think in time you will."  Oakland, 19 Feb. 1991, first time      *
*  since 25 Sept. 1970!!!  Yippee!!!!  Wondering what's NeXT... :-)  *
**********************************************************************