Summary

It is possible to set a domain-wide security setting to disable updating of /etc/passwd to include password hash. This only affects systems where the password hash is stored directly in /etc/passwd. If it is stored in a shadow file or TCB database, it is always updated.

Issue

The option to set this is bksdef -p.

As described in the man page bksdef(1B):

-p De-activate updating of passwords in /etc/passwd. This
will make BoKS to write '*no login*' in the password
field in /etc/passwd upon the next updating of pass-
words for a user by passwd(1B).

While this information is correct, it is however possible to infer that this setting disables updating of all password hashes. Since this setting only affects systems with passwords directly in /etc/passwd, in practice it affects very few systems. Those affected are mostly systems running older versions of HP-UX. As such, this functionality is not applicable in most environments.

Please note, this setting is different than turning off password file updates on a host basis using either hostadm or FCC. That functionality disables all updates to /etc/passwd, /etc/group and related files/maps.

Resolution / Workaround

As this setting only applies to a limited subset of platforms, Fox Technologies recommends that you avoid using this setting.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 03, 2019