topic Re: Trusted Systems in Operating System - HP-UX

Trusted Systems

Chris Devlin_1 — Thu, 10 Apr 2003 12:48:41 GMT

Hi

I am trying to find out if it is possible to have an individual user on a trusted system non-trusted. I need this to have a user and password the same for an in-house application.

Many thanks
Chris

Re: Trusted Systems

Darren Prior — Thu, 10 Apr 2003 12:57:13 GMT

Hi Chris,

Nope, you cannot have an individual "untrusted" as it's the system that's trusted, rather than on a user by user basis.

Can you explain what you require for this user in a little more detail, as there are some areas of configuration for individuals.

regards,

Darren.

Re: Trusted Systems

Ravi_8 — Thu, 10 Apr 2003 12:58:59 GMT

Hi Chris,

you can't have as the password conditions apply to all users(including root) in a trusted machine

Re: Trusted Systems

Robert-Jan Goossens — Thu, 10 Apr 2003 12:59:57 GMT

Darren forgive me, but take a look at this doc.

Trusted System: determine which accounts have password aging disabled

http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000065676965

So it is possible ?

Robert-Jan.

Re: Trusted Systems

Steven E. Protter — Thu, 10 Apr 2003 13:00:01 GMT

trusted is a system state, not a user state.

The best you can do is set the password length minimum on the trusted system to 8 and make the passwords the same.

Secure shell and public key exchange might help. Attaching a cookbook and a link to the free software.

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP

Re: Trusted Systems

Darren Prior — Thu, 10 Apr 2003 13:11:56 GMT

Robert-Jan, you're totally forgiven ;) It's fine to have password ageing disabled for a user.

I'm not 100% sure what the original poster is after; if his application doesn't use the correct system calls to access the password info for a user then he'll have to have the system untrusted, on the other hand maybe he wants to have an identical password for a user on 2 systems and is trying to see if this is possible with trusted systems.

Hopefully we'll find out more when he discovers all the replies :)

regards,

Darren

Re: Trusted Systems

Chris Devlin_1 — Thu, 10 Apr 2003 13:15:41 GMT

Hi Darren

Basically we have 500+ machines (combination of UNIX and NT) around Europe which currently ftp information to this server. The ftp login they use currently has a user/password combination which is the same. This is no problem at present as our server is untrusted. I have been told that this server must be trusted, and it is not an option to change the password as it would mean an update of the 500+ machines.

Any ideas?

Thanks
Chris

Re: Trusted Systems

Darren Prior — Thu, 10 Apr 2003 13:31:42 GMT

Hi Chris,

In that case Robert-Jan's post contains a link to the answer you require. :)

It's not a problem to turn off password ageing for your single user. The system is still trusted (with all the benefits and features.)

I hope you have security measures in place to limit the access of this user, as it's not the best solution to have 500 odd machines with a hardcoded password into your server!

regards,

Darren.

Re: Trusted Systems

Chris Devlin_1 — Thu, 10 Apr 2003 13:48:24 GMT

Hi Darren

Just to confirm, what I need here is an example:

username is: jbloggs
password is: jbloggs

on a trusted server when you try to have the same password as the username you get the error: "Password cannot be circular shift of logonid." On a untrusted system this is not a problem.

I am looking for a way around this on a trusted server.

Thanks
Chris

Re: Trusted Systems

Darren Prior — Thu, 10 Apr 2003 14:00:52 GMT

Hmmm, I didn't think you could do that on an untrusted system!

It appears that even root cannot set a password to the same string as the username on a trusted system. There isn't a way of weakening the security of the passwd command, only for strengthening it!

If you really, really wanted to force this password to the username you could potentially use crypt to encrypt it and then put it in the relevent user's file. I'd say that would be a terribly bad idea though...

In terms of security, it's really not a good idea to have the password matching the username. I reckon it might be time to change the password to something else and make the change on all those machines. The bonus is that as it is stored in a script you can make the password very obscure - just a random collection of characters as no-one needs to remember it!

regards,

Darren

Re: Trusted Systems

Steve Mills_1 — Thu, 10 Apr 2003 14:02:59 GMT

Chris,

I can hear your spurs chink from here, so as you're clearly a cowboy, here's a cowboy solution.

On another system, or even the same one, change some irrelevant user's passwd to the one you require. Then cut and paste the encrypted passwd from this user into the tcb u_passwd field for the pertinent user.

Cheers
Millsy
(chink)

Re: Trusted Systems

Duncan Edmonstone — Thu, 10 Apr 2003 14:46:09 GMT

Chris,

Why does your system have to be trusted?

Is it running 11i?

The reason I ask is that the 'word on the street' is that HPUX11i will soon support a shadow password facility similar to solaris. This might satisfy the auditing/security requirements for your system without the way the passwd command functions changing significantly (although it might have the same issue as trusted)

HTH

Duncan