topic trusted system in Operating System - HP-UX

trusted system

Brozza_1 — Mon, 24 Nov 2003 04:12:54 GMT

Hi all!

Can any of you tell me about his/her experience with trusted systems under hpux 11.00 and 11.11? The thing is we'd like to convert our systems to trusted and need to know if there is any disadvantage with it. Thanks.

Re: trusted system

Fabio Ettore — Mon, 24 Nov 2003 04:39:29 GMT

Hi Brozza,

on docs.hp.com you can find many useful hints and suggestions to manage your trusted system and eventual known problems.
Anyway
KBRC00012678 - TRUSTED: System generated password length exceeds maximum length

already reports a warning about password lenghts and

KBRC00010639 - Troubleshooting a Trusted system

about a general troubleshooting on trusted system.

I hope this helps you.

Best regards,
Ettore

Re: trusted system

Mei Jiao — Mon, 24 Nov 2003 06:31:21 GMT

In my experience, the most frequent problem reported for a Trusted System is that, the root user account being disabled, after root's password being keyed in wrong for 3 times (by default is 3 times).

To resolve this, you must bring the system down to single-user mode to change the root password.

Or you may want to increase the 'Unsuccessful Login Tries Allowed' from 'General User Account Policies' using SAM to increase the number.

Hope this helps!

Re: trusted system

RAC_1 — Mon, 24 Nov 2003 07:25:52 GMT

I never had any problems with trusted systems.

Yiu have more control on passwors, expiry time and whole lot of other details. For accounts getting disabled, you can set max. no. unsuccessful logins. For root I always set it bit high,

Also immedialtely after to you convert to trusted systems , in order to avoid getting all logins expired, execute the following command.

/usr/lbin/modprpw -V

Check the man pages for getprpw, getprdef, modprpw, modprdef.

Hope this helps.

Re: trusted system

Marco Santerre — Mon, 24 Nov 2003 07:50:20 GMT

Trusted Systems are very nice to have especially if your corporation is audited. It allows you to set up password aging, accounts deactivation and neat security stuff.

Most of the problems I've encountered have to do with account deactivation. People don't always remember that they only have 3 (or x number of times) to get their password right before being locked. Also, has already mentionned, root being locked can create havoc (especially if you don't have another root-type account), cause not only will it lock you root and stop from accessing it, but if you're using r-commands, like in ServiceGuard, it'll always ask you for password, and even if it's the right one, it won't work, causing jobs to fail.

But in my mind, the advantages far outweight the disadvantages.

Re: trusted system

doug hosking — Tue, 25 Nov 2003 05:37:52 GMT

Brozza, can you tell us why you want to convert to trusted systems? Is it because of protected passwords, auditing, password restrictions or some other reason? Knowing what's important to you would help us give you better answers.

Do you run NIS? You can't mix trusted mode and NIS.

If you decide to convert to trusted mode, be sure you have current patches for libsec, tsconvert and libpam before converting. That will help you avoid several potential problems.

Re: trusted system

James Lynch — Tue, 25 Nov 2003 08:45:27 GMT

One point to note on re-enabling the root account after it has been disabled/locked. You should not have to bring the system to single user mode in order to reactivate the account. All you have to do is login successfully from the console as root. Even with the system being trusted, root access is always allowed from the console, even if the account is locked. The act of loggin in on the console as root will automatically reactivate the root account.

JL

Re: trusted system

Mei Jiao — Tue, 25 Nov 2003 21:32:25 GMT

James, you're right. I've done testing on a server, after the root account being locked/disabled, login through its console can automatically re-activate the root account. Will take note of this. :)

By the way, I think bring the system down to single-user mode to re-activate the root account is unavoidable for a workstation? Unless we have another active telnet session login as root?

Re: trusted system

James Lynch — Wed, 26 Nov 2003 07:46:47 GMT

I'm not 100% sure on this, since I don't have a workstation to test on, but I think that you should still be able to login as root without bringing down the system to single user mode. Remember that the the graphics head that you normally login on is also the console port. You may just need to bypass the CDE window environment. This is usually accomplished by selecting an option from the login (dtgreet) screen to login as a text/normal session.

JL