Patch Name: PHCO_20321 Patch Description: s700_800 10.26 Support for SmartCard hook in passwd Creation Date: 99/10/27 Post Date: 99/11/08 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: BLS.BLS-CORE OS-Core.UX-CORE Automatic Reboot?: Yes Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_20321 Symptoms: PHCO_20321: User must manually run the SmartCard setup script after installing PHCO_19043. PHCO_19043: Add a new SmartCard hook to passwd which is described as Function Prototype: extern ulong smartcard_PWcrstring( char *username, char *oldpasswd, char *newpasswd, char **CRstring ) Arguments: username input:username of the account oldpasswd input:existing(current) password of account (NULL for new accounts) newpasswd input:new password of account CRstring output:smart card generated CR-string without writing on the caard Return value: 0 Smart card authentication succeeded 1 Smart caard is not present in the reader 2 Failure, user name does not match what's on the card PHCO_18360: the passwd and yppasswd user commands and the trusted path password option did not enforce the constraints uniformly PHCO_17602: 1. When a user with non-default clearance changes his own password with passwd(1), the clearance information is lost. 2. When passwd(1) is invoked by user with "password" authorization, it incorrectly checks the minimum time between password changes. Defect Description: PHCO_20321: No changes made to the binaries. The changes are made only in the patch installation scripts to allow the setup script to run at the end of the patch installation. PHCO_19043: Added support for SmartCard to passwd. The password changing commands need to know CRString for a new password to perform the password history checks. Currently, these commands are invoking smartcard_PWchange() twice in succession to achieve this functionality. The first invokation sets the new password and the second invokation restores the old password. This is just a workaround which is causing problem in developing the Smartcard hook library. Resolution Added a new hook in the libSmartCard library to get the CRstring for a new passwword without writing into the SmartCard. All the commands which change the user passwords have been modified to invoke the hook. PHCO_18360: The different means of changing passwords were not consistent. Resolution: The correct behavior was determined in accordance with the man pages and then the password verifiers were modified to match this specification. PHCO_17602: 1. passwd(1) does not have cvtlabel in its potential privilege set, which prevents it from dealing with clearance properly. 2. An incorrect check was being executed. Resolution: 1. Add cvtlabel to the fcdb. 2. Skip the time check if the invoker has "password". SR: 1653309872 Patch Files: /sbin/passwd /usr/bin/passwd /opt/tosSmartCard/passwd_sec.o what(1) Output: /sbin/passwd: 99/07/15 lib/libc/core/gen/ctime.c, hpux, hpux_10.26 , ic5cv Revision 1.2 PATCH_10.26 (PHCO_17823 ) UNMODIFIED 1999/07/15 Hewlett-Packard HP-UX 10.26 TOS [ ic5cv - DAV17 ] 99/07/15 cmd/passwd_sec.c, hpux, hpux_10.26, ic5cv R evision 1.14 PATCH_10.26 (PHCO_19043) 99/05/21 lib/libsecurity/getprpwent.c, hpux, hpux_10 .26, ic5cv Revision 1.25 PATCH_10.26 (PHCO_1 8502) 99/07/15 lib/libsecurity/mandlib.c, hpux, hpux_10.26 , ic5cv Revision 1.5 PATCH_10.26 (PHCO_17760 ) $ 99/06/25 lib/libsecurity/smartcard.c, hpux, hpux_10. 26, ic5cv Revision 1.4 PATCH_10.26 (PHCO_190 42) 99/05/21 lib/libsecurity/authcap.c, hpux, hpux_10.26 , ic5cv Revision 1.5 PATCH_10.26 (PHCO_18502 ) 99/05/21 lib/libsecurity/map_ids.c, hpux, hpux_10.26 , ic5cv Revision 1.12 PATCH_10.26 (PHCO_1850 2) 99/06/25 lib/libSmartCard/SmartCard.c, hpux, hpux_10 .26, ic5cv Revision 1.3 PATCH_10.26 (PHCO_19 042) ic5ae_DAV17 lib/libc/archive_pa1/libc.a_01 Jul 15 1999 22:49:29 /usr/bin/passwd: 1999/07/15 Hewlett-Packard HP-UX 10.26 TOS [ ic5cv - DAV17 ] 99/07/15 cmd/passwd_sec.c, hpux, hpux_10.26, ic5cv R evision 1.14 PATCH_10.26 (PHCO_19043) /opt/tosSmartCard/passwd_sec.o: 99/07/15 cmd/passwd_sec.c, hpux, hpux_10.26, ic5cv R evision 1.14 PATCH_10.26 (PHCO_19043) cksum(1) Output: 3714064123 466944 /sbin/passwd 1879293310 28672 /usr/bin/passwd 323644255 18848 /opt/tosSmartCard/passwd_sec.o Patch Conflicts: None Patch Dependencies: s700: 10.26: PHCO_19042 s800: 10.26: PHCO_19042 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_17602 PHCO_18360 PHCO_19043 Equivalent Patches: None Patch Package Size: 560 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_20321 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_20321.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_20321. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_20321.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_20321.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: NOTE: This patch uses the string "hpux_10.26" to identify the non-customized version of libSmartCard.a. If you have modified this library please insure that the what string of your customized version of libSmartCard.a does not contain the string "hpux_10.26".