- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Non-trusted to trusted system
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2011 02:43 AM
09-07-2011 02:43 AM
Non-trusted to trusted system
Hi guys ,
I need to convert one non-trusted system to trusted system.
Would like to know whether i can do this online ?? and also what would be the repercussions apart from passwod changes...Can i make it when all of my users of current system are logged in ?
- Tags:
- tsconv
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2011 03:42 AM
09-07-2011 03:42 AM
Re: Non-trusted to trusted system
You should be able to do this online.
I think it also expires all of the passwords.
One gotcha, if the users think the current passwords are > 8 chars and they type that many, it will be rejected since it only stored up to 8.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2011 03:44 AM
09-07-2011 03:44 AM
Re: Non-trusted to trusted system
You can use SAM to do this (and, I assume, SMH), thus avoiding the pitfalls of expired passwords, etc.
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2011 03:53 AM
09-07-2011 03:53 AM
Re: Non-trusted to trusted system
The trusted system mode is deprecated, and HP is preparing to remove it in the next major version of HP-UX (= whatever comes after 11.31). In 11.31 and 11.23, there is also an option to use shadow passwords, like on many other brands of Unix. You can get shadow passwords on 11.11 too, but it requires installing a free optional package first:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword
You can switch to trusted system mode while users are logged in. However, you should inform your users in advance.
If someone is using a password that is longer than 8 characters in non-trusted mode, only the first 8 characters is actually stored, and the rest is ignored. In non-trusted mode, this applies to password checking too, so the users can type more than 8 characters and have their passwords "just work".
But when you switch to trusted system mode, the password algorithms will use those extra characters too. After the switch, each stored password hash will contain information on the first 8 password characters only. If an user has accustomed to typing 9 or more characters in the password prompt, the hash of the typed longer password will not match the stored hash of the first 8 characters, and the password check will fail.
So, the advice you need to give your users is: "If your password is not working after conversion to trusted mode, and it contains more than 8 characters, log in by typing just the first 8 characters, then use the "passwd" command to change your password. Once you have changed your password after conversion to trusted mode, the system will remember and check all the password characters, not just the first 8."
Trusted system is also already affected by one y2k38 issue, which you should be aware of:
http://blog.sourcedirect.com/2010/09/y2k38-is-starting-to-creep-in/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2011 11:27 PM
09-07-2011 11:27 PM
Re: Non-trusted to trusted system
You can use tsconv or SAM/SMH to convert the system to trusted mode online.
Since trusted mode is deprecated on HP-UX 11i v3 you could consider using Standard Mode Security Extensions (add-on for HP-UX 11i v2 and default on HP-UX 11i v3)
From the above link... Most of the features of trusted mode are also available through following security extensions
- HP-UX 11i Security Containment
HP-UX 11i Security Containment includes all the functionality of HP-UX Standard Mode Security Extensions as well as several new security features for HP-UX 11i version 2 systems.
For more information, and to download HP-UX 11i Security Containment, go to Software Depot and search for HP-UX 11i Security Containment. - HP-UX Role-Based Access Control
You can use HP-UX Role-Based Access Control (HP-UX RBAC) to configure the auditing feature of HP-UX Standard Mode Security Extensions.
For more information, and to download HP-UX 11i Security Containment, go to Software Depot and search for HP-UX RBAC. - HP-UX Security Attributes Configuration
You can use the HP-UX Security Attributes Configuration tool to configure the HP-UX Standard Mode Security Extensions.
For more information, and to download HP-UX Security Attributes Configuration go to Software Depot and search for HP-UX Security Attributes Configuration.
Some of the features of HP-UX security containment/SMSE are
- Enhanced password security
- Enhanced user account security
- Auditing functionality available on standard mode systems; no need to convert to trusted mode
- Auditing user and system activities
- Account locking after too many authentication failures occur
- Displaying the last successful and unsuccessful login
- Preventing the re-use of passwords in the password history
- Preventing logins with null passwords
- Restricting logins to specific time periods
- Expiring inactive accounts
Regards
-Rajesh
- Tags:
- SMSE