topic Re: changing to trusted mode in Operating System - HP-UX

changing to trusted mode

J_115 — Thu, 18 Dec 2003 05:50:29 GMT

I have several 10.10 and 10.20 servers in non trusted mode. I intend to use SAM to covvert to trusted mode. I believe that once trusted all the users are going to be prompted to forced to change there password. This will cause me the biggest headache imaginable.

how can i avoid this happening ?

I will also be patching first and have seen on different threads different suggested patches so which are the right ones ?

:-) John.

Re: changing to trusted mode

Hoefnix — Thu, 18 Dec 2003 06:12:19 GMT

John,

From what I know, converting to a trusted system will enable password aging to a default setting (I think 90 day's). What you can do is 1 or 2 weeks before converting, send all users a message to change their password (max length 8 chars) and then convert the system. This will not avoid a password change for the users, but they will not be prompted to change their passwords all at once(after the tsconvert), because the password's will not be 90 day's old.

regards,

Peter

Re: changing to trusted mode

Bill Hassell — Thu, 18 Dec 2003 08:38:17 GMT

The Trusted conversion process will invalidate all user passwords. However, you can run modprpw (an undocumented command in the obsolete 10.xx systems) to fix all the entries to start password aging at today's date and enable the current passwords. The man page for modprpw is located at http://docs.hp.com and it is used:

/usr/lbin/modprpw -V

Be sure to get copies of man [ages for modprpw and getprpw. Your man page for authcap is also useful.

Re: changing to trusted mode

John Carr_2 — Thu, 18 Dec 2003 08:51:47 GMT

John,

I have installed a fresh copy of 10.20 on a workstation created 2 new users. I have changed system to trusted mode using SAM. I have not applied any patches yet

now the system is trusted I have telnet session to system and login as both the new users and have not been asked by the system to change the password.

Could the changing of the password be related to having password aging in place before a conversion to trusted mode.

Bill will probably be able to clarify this

John Carr :-)

Re: changing to trusted mode

RAC_1 — Thu, 18 Dec 2003 08:55:00 GMT

/usr/lbin/modprpw -V

to avoid password expiry.

Re: changing to trusted mode

Darren Prior — Thu, 18 Dec 2003 10:08:17 GMT

Hi John,

See my post in this thread for 10.20 patches: http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=287767

Patches can be superceded, so it's possible that you've seen some older threads that mention older versions of these patches. 10.20 is now an obsolete OS, so patching for it isn't going to change (with the possible exception of security issues.)

regards,

Darren.

Re: changing to trusted mode

Bill Hassell — Thu, 18 Dec 2003 10:09:55 GMT

I tried converting a 10.20 system using SAM to Trusted with 2 users, one with a password expiration setup and one without. After conversion, both accounts were still active. However, SAM uses modprdef after conversion which is not true if you use the tsconvert command. And for the user with pw expiration set, converting either direction maintained the current setting. /usr/bin/modprpw -V fixes all passwords in the Trusted system (leave a root window open).

You can freely convert and un-convert using /usr/lbin/tsconvert (-r to revert back, -c to convert to Trusted). The only issue is with password length. If users on an untrusted system are ttyping in more than 8 characters for a password, on the untrusted system, characters 9+ were simply ignored. But on a Trusted system, every character in the password answer will be used to match the current password. Similarly, if a user chooses a 9+ character password while the system is Trusted and then the system is converted back to un-trusted, the user can still type the extra characters as they will be ignored again.

Re: changing to trusted mode

John Carr_2 — Thu, 18 Dec 2003 12:05:15 GMT

I have just tested again and if i entrust using tsconvert the user is prompted to change password. If I entrust using SAM the user is NOT requested to change password.

have trusted with tsconvert and run command modprpw -V and the user was not prompted to change password.

Bill was spot on
John