PIM(EP) r12.8 SP1 + HP-UX 11.31: passwords set in selang or sepass are limited to 8 characters

Document ID : KB000098960
Last Modified Date : 31/05/2018
Show Technical Document Details
Issue:
We tested LONG PASSWORDS on HP-UX after installing HP-UX PHI11i3 and HP-UX LongPass11i3 depots on HP-UX 11.31 IA64, and a token modification of (LONG_PASSWORD=1) in /etc/default/security We have one more challenge now. The new HP-UX selang & sepass does not recognize more than 8 character passwords. Though we can reset longer passwords through selang & sepass with more than 8 character, it will only recognize the first 8 characters, when its used. But the native HP-UX password command actually works as expected, and it accepts & recognizes more than 8 characters. Could you please check if this is fixable as well And we observed that we can not use history option in setoptions (we had enabled 8 old password history checks). Probably its not able to verify the old history passwords which are in DES hashing…? Could you please consider if there is a interoperability possible with longer passwords for HP-UX sepass & selang binaries. On Linux it works perfectly.
Resolution:
T5C1137 contains relevant ia64 HP-UX binaries taken from AccessControl build 12.81.0.3138, so it should be applied to all systems running PIM versions listed below (even to the highest of those, i.e., 12.81.0.3134). It is useful to know, that a uxpatcher-based testfix is safe to apply to any build within the same code line/code base (here it is 12.81 or 12.8 SP1), since it will apply/replace binaries based on their identity signatures. 12.8 or 12.9 however are different code lines/bases and, if necessary, each would require a dedicated testfix (it would contain different binaries and have a different name). There are subtleties of behavior in case you will be setting passwords cross-platform and use dissimilar operation systems. In that case, you’d better use passwd.passwd_distribution_encryption_mode set to 3. so that the password will be generated on the target system (i.e., where it will be actually used), rather than on the machine on which you run selang in remote mode.