topic Re: converting to trusted mode in Operating System - HP-UX

converting to trusted mode

John Carr_2 — Fri, 12 Dec 2003 05:09:53 GMT

I am going to tsconvert several old servers running hp-ux 10.10 and 10.20. I remember being told along time ago that this conversion program truncates long passwords on early releases. Can anyone bring any light to this as i seem unable to find anything on the subject in the forum.

thanks
John.

Re: converting to trusted mode

Vijaya Kumar_3 — Fri, 12 Dec 2003 05:38:40 GMT

Hi John,

I am not sure about your question. I think the password will just expire irrespective of length.

I will recommend following things:

1. Please search HP site for required patched for your systems. I am not sure about specific patches.

2. You are going to end up with trouble as every system may respond differently after converting into Trusted system.

3. Test some development systems

Thanks
Vijay

Re: converting to trusted mode

Sunil Sharma_1 — Fri, 12 Dec 2003 05:40:22 GMT

Hi ,

Your first 8 charecter of password will be valid.

Sunil

Re: converting to trusted mode

Darren Prior — Fri, 12 Dec 2003 05:54:52 GMT

Hi John,

A couple of important points related to this:

1) 10.10 and 10.20 are old OS's. Please ensure they are fully patched before attempting to trust them, as this _will_ cause problems otherwise.

2) SAM is the supported way to trust a system.

I believe that the long password issue is related to the use of crypt vs bigcrypt. Using the first 8 characters of the password is a workaround until the password is changed after the system has been trusted.

regards,

Darren.

Re: converting to trusted mode

Rajeev Shukla — Fri, 12 Dec 2003 05:56:17 GMT

Yes you are right, all the passwords will be expired, i.e everyone has to change their password first time they login. And only first 8 characters of the password field will be taken care of. Passwords more than 8 characters will be truncated to first 8 characters.

Re: converting to trusted mode

John Carr_2 — Fri, 12 Dec 2003 06:00:31 GMT

thanks everyone

you have confirmed what i thought that tsconvert truncates the password. I will ensure the systems are patched to date i have already downloaded all the patches i need for many tasks.

has this problem been fixed in recent releases of hp-ux does anyone know and if so what release was it first fixed in.

thanks
John.

Re: converting to trusted mode

T G Manikandan — Fri, 12 Dec 2003 06:05:37 GMT

For 10.x version you need to check these patches

10.20 PHCO_10615
10.10 PHCO_10620

It would be better to keep the password length to 8 characters.!

Re: converting to trusted mode

John Carr_2 — Fri, 12 Dec 2003 06:11:31 GMT

I shall change the root password on each server before i go ahead with the task using SAM.

Is there any way to tell from the existing passwd file encrypted password field the length of the decrypted password ?

thanks
John.

Re: converting to trusted mode

doug hosking — Sat, 13 Dec 2003 01:34:44 GMT

No, you can't tell from the existing /etc/passwd file the length of a password (except if there isn't one). Keep in mind that the truncation happened when you INITIALLY set the password, not by the conversion to trusted mode. It just APPEARS that longer passwords are significant.

Try this from a standard mode configuration:
Change a password to 'abc123456789' then try to su to that user using the password 'abc12345' and watch it work. This
shows that independent of trusted mode, the truncation occurred. This 'feature' brought to you by UNIX compatibility requirements.
:-(

Re: converting to trusted mode

doug hosking — Sat, 13 Dec 2003 01:37:03 GMT

By the way, if you do this on 10.10/10.20, be sure you are current on libsec patches. The original versions of libsec had some ugly performance problems on some configurations.