topic Re: password in trusted mode. in Operating System - HP-UX

password in trusted mode.

Srimalik — Mon, 16 Jun 2008 07:51:04 GMT

Hi,

I had a untrusted system with a password more than 8 chars(I know its of no use in case of untrusted system) say: abcd123456.

from this if I entered only the first eight chars I was able to login.

Now I convert the system to trusted mode and set the password limit to 20 chars.

Now also I see the same behavior I am able to login with abcd1234 as well as abcd123456.

I have not changed the password while converting the system to trusted mode. so the password is still abcd1234 (56 should be ignored as the hash never had this part)

Is this expected?? shouldn't the login fail when I try the password "abcd123456"???
It should only succeed with abcd1234.

-Sri

Re: password in trusted mode.

Jeeshan — Mon, 16 Jun 2008 08:01:02 GMT

Hi Sri

if you want to get benefitted of the trusted system, you may need to reset the password more that 8 characters.

Re: password in trusted mode.

Srimalik — Mon, 16 Jun 2008 08:05:55 GMT

Thanks for the reply Ahsan

I can always reset the the password to more more than 8 chars.
My doubt is about the behavior of system.

I am writing an app which will behave exacly similar to the login prompt. so I used
crypt to authenticate on a untrusted system and bigcrypt on an untrusted system.

But for the above scenarios the results for my app. and login prompt do not match. :-(

I want to confirm where the behaviour shon by the login program is correct in trusted mode. It allows me to login with two passwords.

Re: password in trusted mode.

Srimalik — Mon, 16 Jun 2008 08:08:39 GMT

Found a thered with similar contents but not closure

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1213594642072+28353475&threadId=1184575

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 09:42:25 GMT

Please share the OS version

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 10:07:20 GMT

When passwords on trusted systems are 8 bytes long you can enter a
password longer than 8 bytes and login to the system (as long as the
first 8 bytes match).

This CR asks that only the password entered be used to allow access to
the system if it fully matches the encrypted user password. That is
compare all of the password entered don't truncate it to 8 characters
for password matching.

The fix for 11.11 is delivered through PHCO_35250.

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 10:28:57 GMT

The above is the known issue, and has been fixed with the patch mentioned above.

Re: password in trusted mode.

Srimalik — Mon, 16 Jun 2008 11:24:47 GMT

Thanks Avinash

Is a equivalent patch available for 11.23?

-Sri

Re: password in trusted mode.

Srimalik — Mon, 16 Jun 2008 11:28:10 GMT

I could not find it in the patchequilancy table:
http://www12.itrc.hp.com/service/patch/document.do?docId=equiv_data1111

I am running a 11.23 june 2007 release.

-Sri

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 11:47:24 GMT

Here it goes

PHCO_35251 libpam_unix cumulative patch

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 11:50:27 GMT

The above is the equivalent patch for 11.23

You could also find the equiv patch by going to patch desc of 11.11 patch and check for the field
Equivalent Patches:

Re: password in trusted mode.

Avinash20 — Mon, 16 Jun 2008 11:52:39 GMT

The latest patch available for 11.23 is

PHCO_37070 libpam_unix cumulative patch

Always better to have the latest patch level

Re: password in trusted mode.

Srimalik — Mon, 16 Jun 2008 13:21:00 GMT

I installed PHCO_37076 ( the latest in series) but the problem is still there.

Steps to dulicate

1) untrust the system
2) set password to abcd1234
3) make the system trusted
4) login with abcd1234 ..succeeds <---- OK
5) login with abcd123456 ...succeeeds <---- this should not happen because the password is abc1234 and not abcd123456

One more thing I tried was:

1) do steps 1-3 above
2) change the password to something else..
3) change the password to abcd1234 ( this should bring the system in same state as in step 3 above)

4) login with abcd1234..succeeds <--OK
5) login with abcd123456 ...fails <---I think this is the correct behavior

Is there some other patch to solve this?

-Sri

Re: password in trusted mode.

Avinash20 — Tue, 17 Jun 2008 02:52:54 GMT

Hmm.. Could you please check if the patch has been installed sucessfully

# swlist -l fileset -a state | grep

This should be configured

>> Let me test this in my lab servers this weekend..

Re: password in trusted mode.

Avinash20 — Tue, 17 Jun 2008 02:54:50 GMT

Please attach the
# swlist -l fileset -a state
output

Also I understand that you have installed the patch PHCO_37076 & all its dependencies

Re: password in trusted mode.

Srimalik — Tue, 17 Jun 2008 03:09:19 GMT

I have installed all the dependencies

The output requested is:
bash-3.2# swlist -l patch -a state PHCO_37076
# Initializing...
# Contacting target "habhppa5"...
#
# Target: habhppa5:/
#

# PHCO_37076
# PHCO_37076.CORE-ENG-A-MAN configured
# PHCO_37076.CORE2-64SLIB configured
# PHCO_37076.CORE2-SHLIBS configured
bash-3.2# swverify PHCO_37076

======= 06/17/08 03:31:06 MDT BEGIN swverify SESSION
(non-interactive) (jobid=habhppa5-0036)

* Session started for user "root@habhppa5".

* Beginning Selection
* Target connection succeeded for "habhppa5:/".
* Software selections:
+ Networking.NET2-KRN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_PA
+ OS-Core.C-KRN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_PA
+ OS-Core.CORE-KRN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_IA/PA
+ OS-Core.CORE2-KRN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_PA
+ OS-Core.KERN-RUN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_IA/PA
+ OS-Core.KERN2-RUN,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_PA
+ PHCO_31607.SECURITY2,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_31616.UX2-CORE,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_31618.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_31618.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_31621.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_31621.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_32146.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_32146.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_32146.UX2-CORE,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_35048.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_35048.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_35048.PROG-MIN,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_35048.PROG-MN-64ALIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_36742.CORE-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_IA/PA
+ PHCO_36742.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHCO_36742.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
PHCO_37076.CORE-ENG-A-MAN,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_IA/PA
PHCO_37076.CORE2-64SLIB,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
PHCO_37076.CORE2-SHLIBS,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ PHKL_31500.CORE2-KRN,l=/,r=1.0,a=HP-UX_B.11.23_IA/PA,v=HP,fr=1.0,fa=HP-UX_B.11.23_PA
+ UserLicense.UNL-USER,l=/,r=B.11.23,a=HP-UX_B.11.23_IA/PA,v=HP,fr=B.11.23,fa=HP-UX_B.11.23_PA
* A "+" indicates an automatic selection due to dependency or
the automatic selection of a patch or reference bundle.
* Selection succeeded.

* Beginning Analysis
* Session selections have been saved in the file
"/.sw/sessions/swverify.last".
* The analysis phase succeeded for "habhppa5:/".
* Verification succeeded.

NOTE: More information may be found in the agent logfile using the
command "swjob -a log habhppa5-0036 @ habhppa5:/".

======= 06/17/08 03:31:13 MDT END swverify SESSION (non-interactive)
(jobid=habhppa5-0036)

bash-3.2#

Re: password in trusted mode.

Srimalik — Thu, 26 Jun 2008 17:55:12 GMT

Closing this.
Will use the workaround if needed.