topic Re: Trusted system after pwconv in Operating System - HP-UX

Trusted system after pwconv

Timothy Nibbe — Fri, 21 Mar 2008 11:51:09 GMT

I have a system running 11i v2 that has had the pwconv command ran on it to create shadow passwords.

I want to convert the system to a Trusted system, and SAM will not allow me to do this because of the shadow passwords.

Can a system that has had the pwconv command ran on it be converted to a Trusted system?

Re: Trusted system after pwconv

Kapil Jha — Fri, 21 Mar 2008 12:16:05 GMT

u have to do pwunconv and then convert to trusted.
system with shadow passwd can not be trusted.
BR,
Kapil

Re: Trusted system after pwconv

James R. Ferguson — Fri, 21 Mar 2008 12:16:35 GMT

Hi Timothy:

You either run a shadow password implementation or a TCB one. If you wish to transition to TCB, you can run 'pwunconv(1m)' to disable shadow passwords and then convert to a TCB.

I would point out that as of 11.31, Trusted system implementations are deprecated.

Bill Hassell has some good comments in this thread:

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1214608

Regards!

...JRF...

Re: Trusted system after pwconv

Kapil Jha — Fri, 21 Mar 2008 12:26:03 GMT

>>system with shadow passwd can not be trusted
should be

>>system with shadow passwd can not be TCB

this could make sm difference in understanding ;)

Kapil

Re: Trusted system after pwconv

Timothy Nibbe — Fri, 21 Mar 2008 12:49:47 GMT

Thanks.

I was needing to implement account lockout after n login failures and the only way I could see to do that was to go to Trusted mode.

Re: Trusted system after pwconv

Bill Hassell — Fri, 21 Mar 2008 23:03:06 GMT

Actually, there is a new package for 11.23 and later called Standard Mode Security Extension (SMSE). Trusted is the best choice as it has a large set of controls for authentication but old applications often do not use PAM and assume all Unix boxes have a shadow password file. SMSE adds the needed enhancements but retain a more compatible interface for the old stuff.

Re: Trusted system after pwconv

Emil Velez — Sat, 22 Mar 2008 02:04:08 GMT

Standard Mode Security Extensions SMSE

provides you most of the features of trusted systems really except for generating passwords. You can restrict certain users to certain passwords. you can lock the account after a certain number of retries. It is configured with a command called

userdbset and userdbget look them up.

If you attend the HPUX Security class we cover the features there.

Re: Trusted system after pwconv

Timothy Nibbe — Mon, 24 Mar 2008 09:27:19 GMT

Thank you very much.