topic Re: Password Shadowing in Operating System - HP-UX

Password Shadowing

lanke_1 — Mon, 30 Dec 2002 21:00:58 GMT

Hi,

If a hpux11.0 system is converted to a trusted system
should I be able to use NFS
to mount the file systems across the systems.

Any ideas would be greatly appreciated.

Thanks in advance,
Lanke

Re: Password Shadowing

Patrick Wallek — Mon, 30 Dec 2002 21:04:40 GMT

Yes, NFS should still behave normally after converting to a trusted system.

What specific problems or errors are you seeing?

Re: Password Shadowing

Robert-Jan Goossens — Mon, 30 Dec 2002 21:07:17 GMT

Hi Lanke,

Yes to your question. Do you have any problems at this moment whit NFS on trusted system?

Kind regrds,

Robert-Jan.

Re: Password Shadowing

lanke_1 — Mon, 30 Dec 2002 21:13:44 GMT

Hi Patrick,

Thanks for your response.

I want to implement password
shadowing. I know that trusted systems donot support NIS.As I have got NFS mounted file systems across the systems, Iam wondering whether trusted system could
effect the NFS as well.

1)What are things to be considered while implementing a trusted system on hpux11.0
systems.

2) Impacts on a post implemented trusted system.
(users,ftp users)

Thanks,
Lanke

Re: Password Shadowing

Sridhar Bhaskarla — Mon, 30 Dec 2002 21:19:26 GMT

Hi,

Since NIS deals with passwords, NIS is not supported over Trusted systems. There is no dependency of NFS on trusted systems and you can safely use it.

As per your questions,

1. YOu may want to roll it in a phased manner. First, convert the systems to trusted but do not implement any policies so that it will be transparent to your users. After converting the system to trusted, disable password expiry option (use SAM -> Auding and Security -> System Securiyt policies) immediately so that the passwords are not expired after conversion. Chart out a site security plan, decide the policies and slowly implement them like password expiry, bad attempts etc.,

2. Nothing if you have taken care of the above policies.

-Sri

Re: Password Shadowing

RAC_1 — Mon, 30 Dec 2002 21:36:05 GMT

to avoid password expiry after you convert to trusted mode use

/usr/lbin/modprpw -V

Re: Password Shadowing

lanke_1 — Mon, 30 Dec 2002 21:42:43 GMT

Sridhar,
Thanks for your timely response.
What about the patches?.
Do I have to Install any latest security patches.
By the way Iam on HPUX11.0

Thanks once again,
Lanke

Re: Password Shadowing

Sridhar Bhaskarla — Mon, 30 Dec 2002 21:46:52 GMT

Hi,

We keep up with patches. So, I havent' had any issues after convering our systems to trusted. I suggest a good site policy includes regular patching too.

But you should be ok unless the patch levels are too old.

-Sri

Re: Password Shadowing

Patrick Wallek — Mon, 30 Dec 2002 21:48:08 GMT

It never hurts to have the latest security patches installed, but there are no patches that I know that are specifically for a trusted system.

Re: Password Shadowing

avsrini — Tue, 31 Dec 2002 01:49:55 GMT

Hi Lanke,
We are using NFS and trusted systems. We are not having any problems so far.

After converting the system to trusted mode, you have to take care of the user password aging, password length, inactivity time, etc. etc.

You can use
/usr/lbin/getprpw to get the settings
and
/usr/lbin/modprpw to modify the settings

In HPUX 11i, you have a man for both commands.

also you can use logins command, which gives nice formatted output.

also you can use the SAM for these tasks.

If you have any modems using, you have to give permissions for users
to access them.

Srini.

Re: Password Shadowing

Timothy P. Jackson — Tue, 31 Dec 2002 13:22:58 GMT

Lanke,
Although NIS is not supported, NIS+ is supported on trusted systems. Maybe you want to implement NIS+. It is a little more work as far as administration but once it is all up and working it not to bad.

Good Luck,
Tim