Patch Name: PHCO_30402 Patch Description: s700_800 11.11 libpam_unix cumulative patch Creation Date: 04/02/19 Post Date: 04/05/24 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHCO_30402: OTHER Some users may be unable to login. PHCO_24839: CORRUPTION PHCO_24606: ABORT Category Tags: defect_repair enhancement general_release critical halts_system corruption Path Name: /hp-ux_patches/s700_800/11.X/PHCO_30402 Symptoms: PHCO_30402: ( SR:8606343071 CR:JAGaf03965 ) After creating a new NIS+ user with sam(1m), the new user is unable to login. PHCO_27037: ( SR:8606221280 CR:JAGad90414 ) This patch is a member of a set of product updates needed to enable the optional HP-UX shadow password feature. Upon installation, the HP-UX shadow password bundle (ShadowPassword) will install the full set of products (including this patch) to enable the shadow password feature. If the HP-UX shadow password product is not installed, this patch will have no impact on your system. ( SR:8606199765 CR:JAGad68951 ) /usr/bin/passwd needs to support dce in /etc/nsswitch.conf ( SR:8606227681 CR:JAGad96745 ) passwd command produces error when nsswitch.conf has "passwd: files nis ldap" PHCO_24839: ( SR:8606206632 CR:JAGad75805 ) On a system running NIS+ in trusted mode, an unsuccesful password change for a NIS+ user with a NON-fully qualified domain name (i.e. without the trailing dot) could corrupt the NIS+ namespace. ( SR:8606211302 CR:JAGad80490 ) On a trusted system, the root user may fail to log in on the console if his/her account is expired. ( SR:8606196292 CR:JAGad65495 ) On a trusted system, an application using the PAM library may be unable to interact with a user to change their password. This typically won't be an issue, however, an application provider or another patch may direct you to install this patch. PHCO_24606: ( SR:8606184948 CR:JAGad54150 ) Changing password on a trusted system could affect password aging parameters. ( SR:8606203499 CR:JAGad72672 ) ( SR:8606201051 CR:JAGad70227 ) Passwd command could cause libpam_unix to dump core. ( SR:8606193672 CR:JAGad62884 ) libpam_unix doesn't print NIS error message as yppasswd used to. ( SR:8606202873 CR:JAGad72047 ) No symptoms. Additional password restrictions checking is a new feature. PHCO_23224: ( SR:8606178376 CR:JAGad47603 ) Changing a password could cause libpam_unix.1 to dump core. ( SR:8606161795 CR:JAGad31111 ) Aborting login expires all NIS+ passwords for a user (TM) ( SR:8606160402 CR:JAGad29724 ) Incorrect error code for an expired password (Trusted Mode) ( SR:8606174688 CR:JAGad43935 ) Corrupted password file is truncated when modified. Defect Description: PHCO_30402: ( SR:8606343071 CR:JAGaf03965 ) On a system with PHCO_27037 installed, after adding a new NIS+ user with sam(1m), the first time the user tries to login, they could get an infinite series of requests to change an expired password. Resolution: Modified libpam_unix.1 to not loop infinitely. PHCO_27037: ( SR:8606221280 CR:JAGad90414 ) Enhancement request: HP-UX 11.11 does not support shadow passwords. Resolution: This module has been made aware of shadow passwords and will take the appropriate actions when the HP-UX shadow password bundle is installed. ( SR:8606199765 CR:JAGad68951 ) /usr/bin/passwd does not support dce configurations through /etc/nsswitch.conf Resolution: Libpam_unix is enhanced to support dce configurations through /etc/nsswitch.conf ( SR:8606227681 CR:JAGad96745 ) passwd command does not support valid configurations through /etc/nsswitch.conf Resolution: Libpam_unix is enhanced to support new configurations through /etc/nsswitch.conf PHCO_24839: ( SR:8606206632 CR:JAGad75805 ) libpam_unix.1 is unable to handle NON-fully qualified domain names. Resolution: libpam_unix.1 now adds the trailing dot to NON-fully qualified domain names. ( SR:8606211302 CR:JAGad80490 ) libpam_unix.1 fails to allow root to log in on the console if his/her account is expired. Resolution: libpam_unix.1 now allows the root user to log in on the console even if his/her account is expired. ( SR:8606196292 CR:JAGad65495 ) libpam_unix.1 sometimes keeps /dev/tty open when calling an application-provided function. This might prevent the application from interacting with the user. Resolution: libpam_unix.1 no longer opens /dev/tty. PHCO_24606: ( SR:8606184948 CR:JAGad54150 ) Changing a password on a trusted system could also modify a user's password aging parameters. Resolution: Changing a password no longer changes password aging parameters. ( SR:8606203499 CR:JAGad72672 ) ( SR:8606201051 CR:JAGad70227 ) Passwd command could cause libpam_unix to dump core. Resolution: The cause for the core dump is now resolved. ( SR:8606193672 CR:JAGad62884 ) libpam_unix doesn't print NIS error message as yppasswd used to. Resolution: libpam_unix now correctly prints NIS error message. ( SR:8606202873 CR:JAGad72047 ) A site's security policies sometimes require new passwords to contain specific numbers or types of characters, such as at least two digits and at least one special character. Resolution: In addition to the standard password requirements, optional entries in the file /etc/default/security specify the minimum number of required characters of each type (upper case characters, lower case characters, digits and special characters) in a new password. PASSWORD_MIN_UPPER_CASE_CHARS=N PASSWORD_MIN_LOWER_CASE_CHARS=N PASSWORD_MIN_DIGIT_CHARS=N PASSWORD_MIN_SPECIAL_CHARS=N The default value for N is 0. These parameters have effect only when a password is changed. On untrusted systems, these parameters do not apply to the root user. The file /etc/default/security should be owned by root and have 0644 permissions. As an example, to require passwords at least 8 characters long, composed of at least 5 upper case characters, 2 lower case characters and a digit, include the following lines in /etc/default/security, as specified above: PASSWORD_MIN_UPPER_CASE_CHARS=5 PASSWORD_MIN_LOWER_CASE_CHARS=2 PASSWORD_MIN_DIGIT_CHARS=1 PHCO_23224: ( SR:8606178376 CR:JAGad47603 ) Changing a password could cause libpam_unix.1 to dump core. This occurs infrequently. It could occur on any of the following repositories: NIS, NIS+, or FILES (local system). Resolution: libpam_unix.1 now properly frees memory. ( SR:8606161795 CR:JAGad31111 ) If a user's login is aborted while logging into a system which is in Trusted Mode and is also an NIS+ client, then the user's password could become expired for all systems in the NIS+ namespace. Resolution: libpam_unix.1 now updates information for unsuccessful logins only on the local system. ( SR:8606160402 CR:JAGad29724 ) HP-UX is inconsistent with the PAM standard with respect to the return value for an expired password. This inconsistency causes a problem for programs written to run on multiple platforms. Resolution: When an expired password is detected, libpam_unix.1 now returns standard PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_EXPIRED. ( SR:8606174688 CR:JAGad43935 ) Commands do not properly update a corrupted passwd file. Resolution: Improved the error recovery of commands which update the /etc/passwd file. Enhancement: No (superseded patches contained enhancements) PHCO_27037: This patch is one of many pre-enablement patches for the shadow password feature. Additional enhancements were delivered in a patch this one has superseded. Please review the Defect Description text for more information. SR: 8606160402 8606161795 8606174688 8606178376 8606184948 8606193672 8606196292 8606199765 8606201051 8606202873 8606203499 8606206632 8606211302 8606221280 8606227681 8606343071 Patch Files: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/lib/security/libpam_unix.1 what(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/lib/security/libpam_unix.1: $Revision: vw: -f selectors: R11.11_BL2004_0219_5 PHCO_30402 'R11.11_BL2004_0219_5' Thu Feb 19 12:43:55 PST 2004 $ cksum(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: 2224315147 196608 /usr/lib/security/libpam_unix.1 Patch Conflicts: None Patch Dependencies: s700: 11.11: PHNE_23502 s800: 11.11: PHNE_23502 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_27037 PHCO_24839 PHCO_24606 PHCO_23224 Equivalent Patches: None Patch Package Size: 110 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_30402 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_30402.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_30402. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_30402.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_30402.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_30402.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None