topic Re: diff bet the /etc/shadow in Operating System - HP-UX

diff bet the /etc/shadow

wish_1 — Mon, 21 Aug 2006 15:17:35 GMT

dear all

i want to know is there any diff between the /etc/passwd and /etc/shadow in hp-ux with other OS's such (AIX, Solaris, Linux...)

if any? what is the diff?

thanks in adv.
regards
wish

Re: diff bet the /etc/shadow

IT_2007 — Mon, 21 Aug 2006 15:21:46 GMT

HP-UX doesn't have /etc/shadow file. Only it uses /etc/password file in non-trusted environment.

Re: diff bet the /etc/shadow

A. Clay Stephenson — Mon, 21 Aug 2006 15:25:04 GMT

Where it is implemented, no; however, very few HP-UX boxes actually use a shadowed passwd file (although there is a patch to enable it). HP-UX's normal approach is to use a Trusted database (TCB) that does more than an /etc/shadow file in that many more attributes are stored but, in addition, the users' password hashes are stored under /tcb as well and are only readable by root.

Re: diff bet the /etc/shadow

A. Clay Stephenson — Mon, 21 Aug 2006 15:28:38 GMT

Well since HP-UX doesn't have shadowed passwords, I wonder what this does?

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

However, as I mentioned before, the typical HP-UX is to use TCB rather than this solution.

Re: diff bet the /etc/shadow

Bill Hassell — Mon, 21 Aug 2006 16:43:31 GMT

/etc/shadow can be installed on HP-UX and is essentially the same as other Unix systems -- with all the incumbent limitations like no password formation controls, only trivial expiration, no limitations of login periods, no password history, etc. In today's complex security environments, the legacy /etc/shadow method is not adequate, one of the reasons HP chose the TCB method for security many years ago. Legacy programs may not run in HP's TCB environment, but I view that as a good thing.

Re: diff bet the /etc/shadow

doug hosking — Tue, 22 Aug 2006 13:32:03 GMT

The answers re the feature sets vary somewhat from release to release. It is true that the initial web release of shadow password support supported a restricted subset of the trusted mode features. Longer term, trusted mode is being phased out, with its features generally being supported by userdb (see http://docs.hp.com/en/5991-1101/ch08s08.html), such that they can be used in combination with an /etc/shadow file. Userdb provides a more extensible way of adding per-user attributes. The intent is that users can get a broader range of features with fewer compatibility and code portability issues. See security(4) and userdb(4) on your specific version of HP-UX for the latest information on the supported feature sets. http://docs.hp.com/en/5991-0791/ch01s01.html has additional information.

Re: diff bet the /etc/shadow

inventsekar_1 — Tue, 22 Aug 2006 13:43:06 GMT

# man pwconv

pwconv(1M) pwconv(1M)

NAME
pwconv - install, update or check the /etc/shadow file

# pwconv

*Warning*: There is a restriction on the use of shadow password
functionality in this release of HP-UX. Failure to consider this
limitation may lead to an inability to log in to the system after
the conversion is performed. A system converted to use shadow
passwords is not compatible with any repository other than files
and ldap. This means that the passwd entry in the nsswitch.conf
file must not contain nis, nis+, or dce.

Would you like to proceed with the conversion? (yes/no):

11.23 box.
is HPUX doesnt support shadow passwd file?
it seems that pwconv can convert /etc/passwd to /etc/shadow.

Re: diff bet the /etc/shadow

doug hosking — Tue, 22 Aug 2006 14:49:07 GMT

Sekar, 11.23 does support shadow passwords in a limited context, after installing the shadow password bundle. The message you quote summarizes the restrictions.