Operating System - HP-UX
1748185 Members
4239 Online
108759 Solutions
New Discussion

Re: Non-trusted to trusted system

 
zxcv
Super Advisor

Non-trusted to trusted system

Hi guys ,

I need to convert one non-trusted system to trusted system.

Would like to know whether i can do this online ?? and also what would be the repercussions apart from passwod changes...Can i make it when all of my users of current system are logged in ?

4 REPLIES 4
Dennis Handly
Acclaimed Contributor

Re: Non-trusted to trusted system

You should be able to do this online.

I think it also expires all of the passwords.

One gotcha, if the users think the current passwords are > 8 chars and they type that many, it will be rejected since it only stored up to 8.

Pete Randall
Outstanding Contributor

Re: Non-trusted to trusted system

You can use SAM to do this (and, I assume, SMH), thus avoiding the pitfalls of expired passwords, etc.


Pete
Matti_Kurkela
Honored Contributor

Re: Non-trusted to trusted system

The trusted system mode is deprecated, and HP is preparing to remove it in the next major version of HP-UX (= whatever comes after 11.31). In 11.31 and 11.23, there is also an option to use shadow passwords, like on many other brands of Unix. You can get shadow passwords on 11.11 too, but it requires installing a free optional package first:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

 

You can switch to trusted system mode while users are logged in. However, you should inform your users in advance.

If someone is using a password that is longer than 8 characters in non-trusted mode, only the first 8 characters is actually stored, and the rest is ignored. In non-trusted mode, this applies to password checking too, so the users can type more than 8 characters and have their passwords "just work".

 

But when you switch to trusted system mode, the password algorithms will use those extra characters too. After the switch, each stored password hash will contain information on the first 8 password characters only. If an user has accustomed to typing 9 or more characters in the password prompt, the hash of the typed longer password will not match the stored hash of the first 8 characters, and the password check will fail.

 

So, the advice you need to give your users is: "If your password is not working after conversion to trusted mode, and it contains more than 8 characters, log in by typing just the first 8 characters, then use the "passwd" command to change your password. Once you have changed your password after conversion to trusted mode, the system will remember and check all the password characters, not just the first 8."

 

Trusted system is also already affected by one y2k38 issue, which you should be aware of:

http://blog.sourcedirect.com/2010/09/y2k38-is-starting-to-creep-in/

MK
Rajesh K Chaurasia
Valued Contributor

Re: Non-trusted to trusted system

You can use tsconv or SAM/SMH to convert the system to trusted mode online.

 

Since trusted mode is deprecated on HP-UX 11i v3 you could consider using Standard Mode Security Extensions (add-on for HP-UX 11i v2 and default on HP-UX 11i v3)

 

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt&jumpid=em_CToct05_HPUX11i04 

 

From the above link... Most of the features of trusted mode are also available through following security extensions

 

  • HP-UX 11i Security Containment
    HP-UX 11i Security Containment includes all the functionality of HP-UX Standard Mode Security Extensions as well as several new security features for HP-UX 11i version 2 systems.
    For more information, and to download HP-UX 11i Security Containment, go to Software Depot and search for HP-UX 11i Security Containment.
  • HP-UX Role-Based Access Control
    You can use HP-UX Role-Based Access Control (HP-UX RBAC) to configure the auditing feature of HP-UX Standard Mode Security Extensions.
    For more information, and to download HP-UX 11i Security Containment, go to Software Depot and search for HP-UX RBAC.
  • HP-UX Security Attributes Configuration
    You can use the HP-UX Security Attributes Configuration tool to configure the HP-UX Standard Mode Security Extensions.
    For more information, and to download HP-UX Security Attributes Configuration go to Software Depot and search for HP-UX Security Attributes Configuration.

Some of the features of HP-UX security containment/SMSE are

 

  • Enhanced password security
  • Enhanced user account security
  • Auditing functionality available on standard mode systems; no need to convert to trusted mode
  • Auditing user and system activities
  • Account locking after too many authentication failures occur
  • Displaying the last successful and unsuccessful login
  • Preventing the re-use of passwords in the password history
  • Preventing logins with null passwords
  • Restricting logins to specific time periods
  • Expiring inactive accounts

Regards

-Rajesh