topic Re: Trusted Systems. in Operating System - HP-UX

Trusted Systems.

John Tyler — Wed, 11 Dec 2002 13:46:44 GMT

Hello!

I know the many advantages of running HP/UX as a trusted system.

What are the drawbacks ? What do one lose when the system is converted to trusted system?

Does it still support R-fuctions like RCP/RSH ? I know ssh is preferred.

Is it supported on servers running Service Guard.

Any comment/suggestion is appreciated.

TIA

Re: Trusted Systems.

Ken Hubnik_2 — Wed, 11 Dec 2002 13:51:15 GMT

The only drawback is a little more administration of user accounts and also the root account falls into the same rules as other user accounts.

It does support the R commands.

It does run in a service guard environment.

I prefer to use Trusted systems because the added security benefits.

Re: Trusted Systems.

Christian Gebhardt — Wed, 11 Dec 2002 13:54:18 GMT

Hi
All passwords are changed if you convert to trusted system.
I do not know other problems.
Chris

Re: Trusted Systems.

John Tyler — Wed, 11 Dec 2002 14:12:05 GMT

I heard of certain issues with running R-functions between trusted and non-trusted system,

Can someone confirm that r-functions work between trusted and non trusted systems. (both ways using .rhosts for automatic login).

The problem is that we have user scripts whichg uses rcp and remsh to copy and run commands on remote systems.

So should we convert them all to trusted at the same time?

Thanks,

Re: Trusted Systems.

Uday_S_Ankolekar — Wed, 11 Dec 2002 14:41:12 GMT

Trusted system do work with all the 'r' commmands. But before changing all the system to trusted do take backup of /etc/passwd file.

-USA..

Re: Trusted Systems.

Timothy P. Jackson — Thu, 12 Dec 2002 14:57:56 GMT

Make sure that you check your applications. Trusted systems use different libraries for verifing users, user id's and probably other functions.

Tim

Re: Trusted Systems.

nck2pg2 — Fri, 13 Dec 2002 05:00:53 GMT

I found out that trusted system won't allow rlogin without prompting for password.

Re: Trusted Systems.

Wiryanto Victor — Fri, 13 Dec 2002 06:22:29 GMT

When I converted mine to trusted system, I found out that after 3 tries of wrong password entered via telnet session, the account would be locked. But, I managed to resolve by logging in from console. But still, that would give a chance to other admins/users to sabotage the account.

Re: Trusted Systems.

John Payne_2 — Fri, 13 Dec 2002 06:57:46 GMT

You lose the ability to forget root password and boot to single user mode to just to reset. (Asks for old password when trusted.) A work around for this is to have a user (like you) with restricted sam permissions. (You could log in and untrust your system, among other things.)

The trusted system stuff lets you configure the number of incorrect logins allowed before a suspend, and stuff like that.

Other than that, there aren't really too many problems with having a trusted system. You may want to be careful about how you trust the system if you have had users on the system for some time, as the default policies tend to expire passwords and stuff like that. After converting, I would definitely leave your root session logged in to make sure everything's happy.

We have one system that is untrusted due to some dumb little database/application problem with the tcb structure. It is a 10.20 box with an old informix database on it. Everything else is trusted, and it works fine.

Hope it helps

John

Re: Trusted Systems.

mvr — Fri, 13 Dec 2002 13:40:50 GMT

Couple of thinks to make life easier:

1)Make a copy of /etc/passwd
2)Make sure you don't have any special caracters in the /etc/passwd (If you are running SAMBA and your workstation need to be member of the domani, where HP-UX is PDC, than you have entry in your /etc/passwd something like wsat1$:*:.......)
3)All of your passwords will be expired, I suggest you to execute comand modprpw -V and save some hadakes
4)HAVE AT LEAST TWO SESSIONS OPENED AS A ROOT (just in case if you lock out your root user)

Good luck

Miro
4)