topic Re: pwconv HP-UX 11 in Operating System - HP-UX

pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 10:43:50 GMT

In the knowledge base it is stated that you can use pwconv on a non-trusted system.
It should do the follwing:
If commercial security is installed : update shadow file
if commercial security not installed: remove passwords from /etc/passwd and create the shadow file.

When I run the pwconv command on HP-UX 11 I get the message that the system is a non-trusted system and the command does nothing.

Is it possible to use pwconv on a non-trusted system and if not why does it say in the knowledge base that you can ?

Re: pwconv HP-UX 11

Alex Glennie — Thu, 23 Nov 2000 11:25:49 GMT

I just tried this and it does work on a non-trusted system: to see what it does have a look at the pwconf binary.

Are you 100 % sure it did nothing ..have you checked you havent got a tcb dir ?

Re: pwconv HP-UX 11

Alex Glennie — Thu, 23 Nov 2000 11:28:53 GMT

also are you using NIS or tried to convert the system via sam .... any errors ?

Re: pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 12:00:32 GMT

Our intention is just to remove the encrypted passwords from the /etc/passwd file. We are not yet trying to convert to a trusted system.

This is the output of the command:

[hpbis:/etc]# pwconv
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.

I'm pretty sure I don't get the /tcb -directory because i get the followng output:

[hpbis:/]# ls -a tcb
tcb not found

Re: pwconv HP-UX 11

Alex Glennie — Thu, 23 Nov 2000 12:06:48 GMT

Ah thats slightly different !

If it were me I'd try with the default passwd file from /usr/newconfig/etc/, if that works you may have problems wrt your own passwd file

I'd check for duplicate names uids etc ... ?

Make sure you are patched to a reasonable level as well

Re: pwconv HP-UX 11

Dan Hetzel — Thu, 23 Nov 2000 12:23:13 GMT

Hi,

Run 'pwck' and 'grpck' to fix problems with your password and group files, if any.

Then, you should be able to run 'pwconv' successfully.

Dan

Re: pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 12:34:22 GMT

thank you very much for al your input, but I get the follwing output:

# pwconv /usr/newconfig/etc/passwd
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.
# pwck /etc/passwd
# grpck /etc/group

# pwconv
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.

So it doesn't seem to work.

Below is the result of a swlist. Am I missing something or is there a patch that needs to be installed.

#
# Bundle(s):
#

A5158A B.11.00.03 HP PCI Tachyon TL Fibre Channel
A5783A B.11.00.06 PCI Token Ring
B2491BA B.11.00 MirrorDisk/UX
B3919EA_2A5 B.11.00 Special Edition HP-UX Unlimited-User Lic
B3929BA B.11.00 HP OnLineJFS (Advanced VxFS)
B3935DA A.11.09 MC / Service Guard
B5456CA C.01.18.01 HP-UX Development Kit for Java*
B6733AA B.11.00.10 DCE/9000 Kernel Threads Support
B8342AA B.11.00.03 Netscape Communicator 4.72
B8723AA A.01.02 CIFS/9000 Client Lic. for 9000 Servers
B8725AA A.01.02 CIFS/9000 Server Lic. for 9000 Servers
HPUXEng64RT B.11.00 English HP-UX 64-bit Runtime Environment
Ignite-UX-11-00 B.2.4.307 HP-UX Installation Utilities for Installing 11.00 Systems
J2720BA R6.11.00.200 SNAplus2 LINK
J2722BA R6.11.00.200 SNAplus2 3270/3179G
J2723BA R6.11.00.200 SNAplus2 RJE
J2724BA R6.11.00.200 SNAplus2 API
OnlineDiag B.11.00.13.16 HPUX 11.0 Support Tools Bundle
XSWECO226 A.1.0 Patch Replacement bundle
XSWGR1100 B.11.00.49.3 HP-UX General Release Patches, June 2000
XSWHWCR1100 B.11.00.49.3 HP-UX Hardware Enablement and Critical Patches, June 2000
#
# Product(s) not contained in a Bundle:
#

ADSM 1.0 Start/Stop scripts & config files & Oracle backupscript for ADSM
IBMcli_tag 1.1.0.0 IBMcli software for HP-UX
IBMdpo_tag B.11.00.01 IBMdpo Driver 64-bit Version: Oct-26-2000 16:19
IBMis_tag 2.7.1.00 IBM Install Script for HP
PHCO_21630 1.0 LVM commands cumulative patch
PHKL_21381 B.11.00.AA Fibre Channel Mass Storage Driver Patch
PHKL_21989 1.0 SCSI IO Subsystem Cumulative Patch
PHKL_22267 1.0 11.00 LVM Cumulative patch
PHKL_22469 1.0 Directed range,PIOP for N/L class,PAT Events
SW-DIST B.11.10.07.01 HP-UX Software Distributor
TIVsm 3.7.0.0 Tivoli Storage Manager

Re: pwconv HP-UX 11

Dave Kelly_1 — Thu, 23 Nov 2000 13:24:09 GMT

It doesn't look like you can run pwconv on a non-trusted system.

pwconv is just a script file. The contents show:

#!/usr/bin/sh
# @(#) $Revision: 80.2 $
#
# pwconv -- convert to or update commercial security
#

PATH=/usr/lbin
export PATH

# check this file to see if already converted
# see the iscomsec() routine in libsec

if [[ -f /tcb/files/auth/system/default ]]
then
# already converted, do an update
echo "Updating the tcb to match /etc/passwd, if needed."
tsconvert -u
else
# not there yet, do the conversion
echo "The system is not yet in trusted mode."
echo "Use pwck to list any problems with the password file."
echo "After fixing all problems use SAM to convert to trusted mode".
fi

The else shows that nothing is run if the system is not trusted.

Re: pwconv HP-UX 11

Alex Glennie — Thu, 23 Nov 2000 14:03:27 GMT

As to the itrc doc, i the script is different between 10.20 and 11.xx.

did it specify the O/S ?

Re: pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 14:10:40 GMT

The knowledge base document that I refered to in the beginning is:

A5242666

Problem Description

Can I use pwconv if my system is not a trusted system? Will pwconv
create a shadow file?

Configuration Info

Operating System - HPUX
Version -
Hardware System - HP 9000
Series - E35

Solution

Yes, you do not have to have a trusted system to use pwconv and
pwconv will create shadow files.

I also have a reference to document RN06961020:
HP-UX 10.20 Release Notes, Major Changes for HP-UX 10.0 & 10.01, Part 1

New commands from 10.0

pwconv(1M)
*****************************************************************************
Creates or updates the commercial security database from /etc/passwd.

* If commercial security is installed, pwconv updates the database.

* If commercial security is not installed, pwconv removes passwords
from /etc/passwd and creates the database.

I don't find any reference that it changed up to V. 11.xx

Re: pwconv HP-UX 11

Dan Hetzel — Thu, 23 Nov 2000 14:24:33 GMT

Hi all,

I guess you're all right ... up to a certain point.

The script in 10.20 is as follows:
#!/usr/bin/sh
# @(#) $Revision: 72.1 $
#
# pwconv -- convert to or update commercial security
#

PATH=/etc
export PATH

# check this file to see if already converted
# see the iscomsec() routine in libsec

if [[ -f /tcb/files/auth/system/default ]]
then
# already converted, do an update
tsconvert -u
else
# not there yet, do the conversion
tsconvert
fi

You see that it either updates or converts depending if the system is trusted or not.
I can't figure out what /etc/tsconvert is doing but it's most probably converting the system into a trusted system, like sam does (probably by calling tsconvert)

Best regards,

Dan

PS: If my understanding is correct, what Rob wants is a trusted system with all auditing turned off ??? Or am I missing something ??

Re: pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 14:26:32 GMT

I was just checking an "old" 10.20 system and there the script just runs tsconvert when it is not already a secure system.

I was wondering , can't I just do the same manually on HP-UX. That's just use tsconvert without any options.

Re: pwconv HP-UX 11

Rob CUYNEN — Thu, 23 Nov 2000 14:34:58 GMT

Actually, I don't want a trusted system.

I'm used to working in the Solaris environment and there by default there are no encrypted passwords in the /etc/passwd file. The encrypted passwords are stored in the root-only accessible file (even read): /etc/shadow.
This is also true for most Linux systems now.

I was just wondering, is the same very basic security check popssible under HP-UX.

For the moment we don't want to use trusted systems because that would also require an upgrade of the JFS filesystems to disk-layout 4(because we need the ACL's) and change from NIS to NIS+. As the NIS would only be used for 3, max. 4 servers we wonder if all the managment hassle of NIS+ won't be to much overhead.

Re: pwconv HP-UX 11

Roderick Derks — Thu, 13 Jan 2005 11:12:31 GMT

Have you ever had a solution to this issue?

Groet,
Roderick Derks

Re: pwconv HP-UX 11

Pete Randall — Thu, 13 Jan 2005 11:17:34 GMT

Roderick,

It's usually better to open your own new question than add a question to such an old thread. In this case, however, I think the answer you seek is "Shadow Passwords":

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Pete