https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858146#M395897 here's an update related to Database vendors: informix and oracle related to HP's Shadow Product on HPUX 11.11<BR /><BR />After installing Shadow, the Informix database access users can not login. (The users come in via tcp clients and informix database authenticates via normal unix system login using /etc/password file.)<BR /><BR />The Informix versions used are: 7.31 and 9.30.<BR /><BR />The fix is simple: take the encrypted password from /etc/shadow and copy it back into the database user's account in /etc/passwd.<BR /><BR />The other vendor: Oracle, apparently has patches to use Shadow.<BR /> Fri, 03 Sep 2004 10:38:20 GMT D Block 2 2004-09-03T10:38:20Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858142#M395893 Have you installed HP's package: Shadow Password ?<BR /><BR />Say, I'm really worried about the OS HPUX with RAC, in particular, 10g.. should I get the vendor Oracle's approval before I install on 11i Production using Rac 10g ? I would hate to break production or wait for a patch from an outside vendor..<BR /><BR />Thx in adv..<BR /><BR />BTW,<BR /><BR />I've installed the package on two test systems, and no problems, but its not production environment running Rac 10g.<BR /><BR />see:<BR /><A href="http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword" target="_blank">http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword</A><BR /><BR />also a thread under HP's Security Form:<BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=590554" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=590554</A> Mon, 23 Aug 2004 21:06:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858142#M395893 D Block 2 2004-08-23T21:06:28Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858143#M395894 Hi Tom,<BR /><BR />We don't take that intermediate step - we convert to full trusted. Every system - period.<BR />Have *not* had a single problem to date.<BR />That covers literally hundreds of systems.<BR />So my advice to you would be - don't mess around with the relatively new shadow PW - do the right thing &amp; go trusted.<BR />It's *much* more secure.<BR /><BR />My $0.02,<BR />Jeff Mon, 23 Aug 2004 21:12:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858143#M395894 Jeff Schussele 2004-08-23T21:12:24Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858144#M395895 Hi Tom,<BR /><BR />I personally haven't played with shadow password support, but one thing I've heard that is different from Trusted Systems is that Shadow Password support will be integrated into NIS in a coming release, where as I've heard of no plans to integrate NIS with Trusted Systems.<BR /><BR />Even if NIS is not used in your shop, my point is to get you thinking not only in terms of security, but of integration with your name server and authentication mechanisms. If you choose a security model, either Shadow or Trusted, be sure to understand the implications of integrating support for those security models with whatever authentication back-end name service you plan to use in your environment.<BR /><BR />Regards,<BR /><BR />Dave Mon, 23 Aug 2004 21:47:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858144#M395895 Dave Olker 2004-08-23T21:47:32Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858145#M395896 We only have a problem with one vendor. Robelle's Qedit product has issues with Shadow passwords. The vendor is aware of the problem and is currently working on a fix. Tue, 24 Aug 2004 08:10:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858145#M395896 Gary L. Paveza, Jr. 2004-08-24T08:10:03Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858146#M395897 here's an update related to Database vendors: informix and oracle related to HP's Shadow Product on HPUX 11.11<BR /><BR />After installing Shadow, the Informix database access users can not login. (The users come in via tcp clients and informix database authenticates via normal unix system login using /etc/password file.)<BR /><BR />The Informix versions used are: 7.31 and 9.30.<BR /><BR />The fix is simple: take the encrypted password from /etc/shadow and copy it back into the database user's account in /etc/passwd.<BR /><BR />The other vendor: Oracle, apparently has patches to use Shadow.<BR /> Fri, 03 Sep 2004 10:38:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858146#M395897 D Block 2 2004-09-03T10:38:20Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858147#M395898 Hi (again) Tom,<BR /><BR />Well that "fix" kind of negates the purpose of Shadow PW because the "standard" /etc/passwd is world readable whereas the shadow is not.<BR />The purpose being that a "normal" user can't grab a copy of the passwd file, take it off system &amp; run crack or John the Ripper against it.<BR />Personally I've never seen Informix have a problem with the TCB (Trusted Computing Base) structure that a trusted system uses.<BR />You might talk to Informix about using the authentication method on the HP version that they use on Sun because all Sun system utilize the shadow PW principle.<BR /><BR />My $0.02,<BR />Jeff Fri, 03 Sep 2004 11:25:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858147#M395898 Jeff Schussele 2004-09-03T11:25:29Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858148#M395899 Does a "trusted" HPUX system have a file called: /etc/shadow ? Tue, 07 Sep 2004 07:25:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858148#M395899 D Block 2 2004-09-07T07:25:43Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858149#M395900 I decided to learn on my own:<BR /><BR />- turned on Trusted via SAM and here's the difference when looking at file from /.<BR /><BR />diff# diff /tmp/nontrusted /tmp/trusted<BR />1264a1265<BR />&gt; /tmp/trusted<BR />58015a58017<BR />&gt; /var/spool/sockets/pwgr/client4708<BR />58017d58018<BR />&lt; /var/spool/sockets/pwgr/client4412<BR />58018a58020<BR />&gt; /var/spool/sockets/pwgr/client4567<BR />58053a58056,58057<BR />&gt; /var/spool/cron/.ataids<BR />&gt; /var/spool/cron/.cronaids<BR />58377d58380<BR />&lt; /var/sam/ann.dion<BR />58378a58382,58383<BR />&gt; /var/sam/sam_tm_work<BR />&gt; /var/sam/ann.dion<BR />59496a59502,59506<BR />&gt; /.secure<BR />&gt; /.secure/etc<BR />&gt; /.secure/etc/audnames<BR />&gt; /.secure/etc/audfile1<BR />&gt; /.secure/etc/audfile2<BR />59512a59523,59594<BR />&gt; /tcb<BR />&gt; /tcb/files<BR />&gt; /tcb/files/auth<BR />&gt; /tcb/files/auth/system<BR />&gt; /tcb/files/auth/system/default<BR />&gt; /tcb/files/auth/system/maxaid<BR />&gt; /tcb/files/auth/a<BR />&gt; /tcb/files/auth/a/adm<BR />&gt; /tcb/files/auth/b<BR />&gt; /tcb/files/auth/b/bin<BR />&gt; /tcb/files/auth/c<BR />&gt; /tcb/files/auth/d<BR />&gt; /tcb/files/auth/d/daemon<BR />&gt; /tcb/files/auth/e<BR />&gt; /tcb/files/auth/f<BR />&gt; /tcb/files/auth/g<BR />&gt; /tcb/files/auth/h<BR />&gt; /tcb/files/auth/h/hpdb<BR />&gt; /tcb/files/auth/i<BR />&gt; /tcb/files/auth/j<BR />&gt; /tcb/files/auth/k<BR />&gt; /tcb/files/auth/l<BR />&gt; /tcb/files/auth/l/lp<BR />&gt; /tcb/files/auth/m<BR />&gt; /tcb/files/auth/n<BR />&gt; /tcb/files/auth/n/nuucp<BR />&gt; /tcb/files/auth/o<BR />&gt; /tcb/files/auth/p<BR />&gt; /tcb/files/auth/q<BR />&gt; /tcb/files/auth/r<BR />&gt; /tcb/files/auth/r/root<BR />&gt; /tcb/files/auth/s<BR />&gt; /tcb/files/auth/s/sys<BR />&gt; /tcb/files/auth/s/smbnull<BR />&gt; /tcb/files/auth/t<BR />&gt; /tcb/files/auth/u<BR />&gt; /tcb/files/auth/u/uucp<BR />&gt; /tcb/files/auth/v<BR />&gt; /tcb/files/auth/w<BR />&gt; /tcb/files/auth/w/www<BR />&gt; /tcb/files/auth/w/webadmin<BR />&gt; /tcb/files/auth/x<BR />&gt; /tcb/files/auth/y<BR />&gt; /tcb/files/auth/z<BR />&gt; /tcb/files/auth/A<BR />&gt; /tcb/files/auth/B<BR />&gt; /tcb/files/auth/C<BR />&gt; /tcb/files/auth/D<BR />&gt; /tcb/files/auth/E<BR />&gt; /tcb/files/auth/F<BR />&gt; /tcb/files/auth/G<BR />&gt; /tcb/files/auth/H<BR />&gt; /tcb/files/auth/I<BR />&gt; /tcb/files/auth/J<BR />&gt; /tcb/files/auth/K<BR />&gt; /tcb/files/auth/L<BR />&gt; /tcb/files/auth/M<BR />&gt; /tcb/files/auth/N<BR />&gt; /tcb/files/auth/O<BR />&gt; /tcb/files/auth/P<BR />&gt; /tcb/files/auth/Q<BR />&gt; /tcb/files/auth/R<BR />&gt; /tcb/files/auth/S<BR />&gt; /tcb/files/auth/T<BR />&gt; /tcb/files/auth/U<BR />&gt; /tcb/files/auth/V<BR />&gt; /tcb/files/auth/W<BR />&gt; /tcb/files/auth/X<BR />&gt; /tcb/files/auth/Y<BR />&gt; /tcb/files/auth/Z<BR />&gt; /tcb/files/ttys<BR />&gt; /tcb/files/devassign<BR />#<BR /><BR /><BR />I'll have to say, linux rules in this situation. that TCB does not have: /etc/shadow file!<BR /><BR />closed. Tue, 07 Sep 2004 20:01:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858149#M395900 D Block 2 2004-09-07T20:01:05Z https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858150#M395901 fubar Tue, 07 Sep 2004 20:01:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/shadow-password-usage-install-issues/m-p/4858150#M395901 D Block 2 2004-09-07T20:01:55Z