Operating System - HP-UX
1748139 Members
4410 Online
108758 Solutions
New Discussion юеВ

Re: HPUX 11.11 password shadow and Informix

 
SOLVED
Go to solution
Grady Parks
Advisor

HPUX 11.11 password shadow and Informix

I have turned on password shadow and my informix logins no longer work. If I do a pwunconv then informix works fine.

Informix says that the only thing that they do is perform a getspent() which should allow the authentication to the users but it does not seem happen.

Does anyone have any ideas?
If it aint broke...patch it anyway!
7 REPLIES 7
G. Vrijhoeven
Honored Contributor

Re: HPUX 11.11 password shadow and Informix

Hi Grady,

You could check this link:

http://www.usenix.org/publications/login/1999-10/letters.html


Regards,

Gideon
Steve Lewis
Honored Contributor

Re: HPUX 11.11 password shadow and Informix

I have had this problem too, although getpsent() is only for trusted systems, not for /etc/shadow. I had problems with trusted mode.

The shadow password package now removes visibility to the encrypted password to all users, in order to stop people running crack programs which guess passwords, encrypt each guess using the library encryption function and compare the encrypted guess against what is is the passwd file.

I suspect that this is what informix does, too, using your entered password and either getpsent() or getpwent().

Although the engine is suid root, the tools are not and I suspect that this may have something to do with the problem.

What we need to know is:

Does the HP shadowed password return anything in the password field for getpwent()? I suspect that it does not and should not, because it would defeat the object of /etc/shadow, but what if the user is effectively root?

Secondly, does informix do what I think it does, comparing the encrypted user input with the entry returned by getpwent().

What is the effective user id when informix does its authentication?

Does informix now support PAM?

How does it all work anyway?


Bill Hassell
Honored Contributor
Solution

Re: HPUX 11.11 password shadow and Informix

Unfortunately, there is no fix from the HP-UX side. Informix will have to modify their code to handle the (relatively new) shadow password option in HP-UX.


Bill Hassell, sysadmin
Colin Topliss
Esteemed Contributor

Re: HPUX 11.11 password shadow and Informix

When you say you have turned on shadow passwords, do you mean you installed full-blown C2, or just installed the shadow password depot (available separately)?

Under C2, the call to get the password entry changes from getpwent to getprpwent - and it usually breaks a lot of client/server applications.

I can't for the life of me remember if the shadow password bundle itself uses a /etc/shadow passowrd file or whether it uses /tcb/files/auth. If it uses /etc/shadow, the getspent won't work:

The secured password facility is implemented without the use of the /etc/shadow file. getspent(), getspnam(), setspent(), and endspent() read from the trusted system's protected password database (/tcb/files/auth/*/*) and not /etc/shadow. The file /etc/shadow is not used in any way by the HP-UX login facility.

Also bear in mind that the shadow password depot is NOT compatible with NIS or LDAP (at least not when I last looked at it).
Grady Parks
Advisor

Re: HPUX 11.11 password shadow and Informix

Thanks guys!

Sorry for the slow response, I was in Veritas Cluster 4 training and still having to work so my plate was quite full.

In our environment, we are only running the depot version because Trusted hosts is not allowed. I talked with the Informix DBA and they are going to try to schedule a meeting with myself and the Informix Tech because I don't think the Informix products that we are using have PAM support and that Informix will have to actually fix the problem from their end.

I am going to perfom some additional test this weekend and will keep you posted. I will assign points next week.

If you have any other suggestions or insights in the meantime please feel free to add them to the thread.

Thanks
Grady
If it aint broke...patch it anyway!
JJ_4
Frequent Advisor

Re: HPUX 11.11 password shadow and Informix

What version of Informix?

What errors are reported in the online.log?
Not enough Zappa makes you sad.
Grady Parks
Advisor

Re: HPUX 11.11 password shadow and Informix

I know it has been a while, The DBA and I have been involved in DR drills and I spoke with here and Informix has not found a solution for this.

She tried it with the most recent version of Informix. The version escapes me now so I won't worry about it.

I want to thank you guys for your responses and since this seems like it will not be solved in the short time, I will go ahead and send out some points for the good leads.

Grady
If it aint broke...patch it anyway!