topic Re: Password Shadowing in Operating System - HP-UX

Password Shadowing

Glenn L. Stewart — Wed, 27 Feb 2002 01:03:43 GMT

Very quick question... nevertheless please provide suggestions even if the question is solved. I am very curious as to user experience in this area.

Post security audit it has been recommended that we implement password shadowing asap.

I know it is common, if not standard to have password shadowing in Linux, but a standard install of HP-UX doesn't not come with password shadowing installed as a default. From sysadmin courses at HP, I got the impression that it is uncommon for password shadowing to be enabled - or at least uncommon to have a trusted system.

Q1: What procedure is used to implement password shadowing?

Q2: What are the impacts - the less obvious positive impacts versus the negative impacts?

Q3. What is your personal experience post password shadowing?

Q4. How common do you believe password shadowing to be on HP-UX.

I will generously award points.

Thanks in advance.
Glenn

Re: Password Shadowing

Bill Hassell — Wed, 27 Feb 2002 01:27:09 GMT

> Q1: What procedure is used to implement password shadowing?

SAM - change your system to a Trusted System, or use the backend command /usr/lbin/tsconvert

> Q2: What are the impacts - the less obvious positive impacts versus the negative impacts?

NIS can no longer be used. But Trusted System (and a shadow password file) implies higher security, while standard NIS is not compatible with those goals.

> Q3. What is your personal experience post password shadowing?

Works fine and because HP's Trusted System adds many additional controls on logins (times allowed, min/max password lengths, expiration and disable rules), it is very flexible in cotrolling access and increasing security. HP's Trusted System is a superset of the shadow password concept.

As a downside, running vipw or vi on the passwd file is not going to be a good idea for the admin as the shadow must be maintained in sync. Use SAM to maintain the passwd files.

> Q4. How common do you believe password shadowing to be on HP-UX.

Quite common. Most objections have to do with tools that 'know' where the password file is located and do not understand the /tcb directory. Again, one has to question how secure a system will be if tools will exist on the system that aree aware of shadow passwords.

Re: Password Shadowing

Michael Tully — Wed, 27 Feb 2002 01:39:23 GMT

Hi Glenn,

I'll answer your question pertaining to my site. Implementation of password shadowing or 'trusting your server' as it known, is quite common and can depend on what applications are running as whether
it can be implemented.

1. You can easily implement it using 'sam' or
'tsconvert' from the command line.
# /usr/lbin/tsconvert

2. A directory called /tcb is created and all
password imformation, expiry, encryption is
held here. One downside is that all passwords
expire immediately upon implementation.

3. Passwords expiring immediately can cause
a mutiny.

4. I can only say from the sights I've worked
at during the last five years since I've been
using it, and greater than 50% of the servers
I've been looking after have this facility.
I can also say sometimes that management need
to take security more seriously than they do
except until after systems have been audited,
like a 'I told you so' approach!

Here is a couple of links that I've used in
the past.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x67f9c6af36b7d5118ff10090279cd0f9,00.html
http://people.hp.se/stevesk/bastion11.html

Chapter 8
http://www.docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html

Also from the Teck knowledge base

PROBLEM
Where to find information regarding trusted systems (C2 security).

RESOLUTION

For trusted system information, refer to the following manuals at
http://www.docs.hp.com/.

HP-UX System Administration Tasks (HP-UX 10.X Operating System)
Managing Systems and Workgroups (HP-UX 11.X Operating System)
Administering Your HP-UX Trusted System (Internet & Security Solutions)

SAM provides the convert and unconvert capabilities at 10.X and
11.X. The SAM help facility provides additional information on
specific capabilities of a trusted system.

Make a backup copy of /etc/passwd and /etc/group prior to
converting, and install any trusted system related patches prior
to converting to a trusted system through SAM.

Several other sources for additional information are below.

man pages

authck(1M) - check internal consistency of Authentication database
authcap(4) - security databases for trusted systems
default(4) - system default database file for a trusted system
devassign(4) - device assignment database file for a trusted system
iscomsec(2) - check if the system has been converted to a trusted system.
prpwd(4) - protected password authentication database files
ttys(4) - terminal control database file , for trusted systems

The Release Notes under /usr/share/doc

HTH
-Michael

Re: Password Shadowing

Eric Ladner — Wed, 27 Feb 2002 01:53:48 GMT

NIS doesn't work with trusted mode, but NIS+ does. It's kind of a bear to set up though, but works well once configured correctly.

We have several systems running in trusted mode with more converting as we can get down time.

I mourned the loss of 'vi /etc/passwd' though.