Security
Traditionally, HP-UX stores user account information in the local /etc/passwd file. Unless, the system is in trusted mode, any user logging into the system can read all other users’ encrypted passwords in /etc/passwd; and that is still true even if the system deploys Network Information Service (NIS). The exposure of passwords is a security risk. Windows 2000 uses AD to store account information, but Kerberos client keys and passwords are well protected. You cannot display them using directory search tools. Even an administrator cannot obtain a user’s password or client key from AD. So, integrating HP-UX accounts with Windows 2000 provides better password protection for HP-UX. Also, using Windows 2000 Kerberos Services to authenticate HP-UX users is more secure than traditional UNIX authentication.
However, be aware of some general security issues when using directory services as a data repository. In UNIX platforms, a super user, who has all the power to manipulate the system, is identified by uid = 0, which is the attribute uidNumber in AD. The uidNumber and other security-sensitive attributes (i.e. login shell, home directory) need to be protected from change by an arbitrary user. By default, a regular Windows 2000 domain user is not given the capability to modify AD objects. When granting access right, an AD administrator must be very careful about the protection of security-sensitive attributes. HP has published a white paper for security issues associated directory services. The white paper is “Preparing Your LDAP Directory for HP-UX Integration White Paper”, which can be downloaded from HP documentation web site, http://docs.hp.com/hpux/internet. Although the white paper is not specifically dedicated to the information for Windows 2000 Active Directory, the general principles are still applied.
20