topic Re: trusted systems in Operating System - HP-UX

trusted systems

andrew medhurst — Sun, 17 Oct 2004 05:09:05 GMT

guys i have an urgent request, i have a passwd file that seems to have password still in some users but most are in relevant tcb files this is production so i would rather not untrust and retrust whole system as it will expire all passwords.
I believe that there is a way of converting the users in question with one be one( there are only about 10 users that need this) and then unexpiring the users passwords perhaps using modprpw command.
i have never before tried this and wondered if some one can give me some advice on correct command and usage.
regards
andrew

Re: trusted systems

Patrick Wallek — Sun, 17 Oct 2004 05:45:34 GMT

There is no way to convert a single user to trusted mode. It is an all-or-none deal!

Do the users that have entries in the passwd file also have a /tcb/files/auth/?/username entry? If so, just delete the encrypted passwd out of /etc/passwd. If not, I would consider removing and re-adding those particular users.

Re: trusted systems

Sridhar Bhaskarla — Sun, 17 Oct 2004 05:57:59 GMT

Hi Andrew,

If you see encrypted strings in the password field of /etc/passwd for some users, there is no need to worry. It is not going to affect the users. Only the encrypted strings in their corresponding tcb files will be used.

If you still want to synchronize the passwords of /etc/passwd to tcb files of those users, then there is a way. Grag the encrypted string from /etc/passwd and use the command

/usr/sbin/lbin/usermod.sam -p ""

The above won't work if the user is active.

-Sri

Re: trusted systems

Steven E. Protter — Sun, 17 Oct 2004 08:55:50 GMT

There is no loss of function if you take the whole system trusted. Security benefits and there is little downside.

It is also possible to go with shadow passwords which stores passwords in the /etc/shadow file.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

This really provides the shadow functionality but still leaves a single file for hackers to get and crack. It does give you the functionality wihtout the audit and other features of trusted systems that can fill up a hard disk.

SEP

Re: trusted systems

Tyler Easterling_1 — Sun, 17 Oct 2004 13:41:41 GMT

Hi Andrew,

If you're only concerned about password experation you can run /usr/lbin/modprpw -V and the tsconvert will not expire passwords.

Tyler

Re: trusted systems

andrew medhurst — Mon, 18 Oct 2004 03:52:28 GMT

Thanks for the email i found a way around it there is a command pwconv that checks the passwd files and the /tcb/files/auth directory and if they dont match moves only the entry's out of passwd to tcb directory i then ran the modprpw command to unexpire the passwords and all is now ok.
thanks for all the help i have assigned points.

regards
Andrew