Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Does enhanced security subset OSFC2SEC520 work on OSF 5.1

SOLVED
Go to solution
Ryan Sheen
Occasional Visitor

Does enhanced security subset OSFC2SEC520 work on OSF 5.1


In the security manual, the enhanced security subsets for OSF 5.1 are OSFC2SEC510 and OSFXC2SEC510. I am trying to turn on the enhanced security on an OSF 5.1 system. But the security subsets are OSFC2SEC520 and OSFXC2SEC520. Can the $$$520 subsets be used on OSF 5.1 system?

I assumed the answer was yes and used secconfig to turn the enhanced security on. The passwords were shadowed. But no one can log in since the login process interoperates the “*” in /etc/passwd as encrypted password. Also I found the matrix.conf still is pointing to BSD libraries.

Shall I install the OSFC2SEC510 subsets?
9 REPLIES
Venkatesh BL
Honored Contributor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Can you post the output of "sizer -v"?

The $$$5$0 depends on the actual OS version. For example, V5.1A contains $$$520 subsets and V5.1B contains $$$540 subsets.

So, I would suggest that you install the appropriate subsets that are shipped with the Base OS version.
Ryan Sheen
Occasional Visitor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1


Thank BL!

Here is the output of sizer
# sizer -v
Compaq Tru64 UNIX V5.1A (Rev. 1885); Wed Nov 27 12:38:39 EST 2002

If OSFC2SEC520 is for V5.1A, I will try to reinstall the subsets myself. Does it also install OSFC2_matrix.conf? I did not find the file anywhere, even in /usr/.samdb./OSFC2SEC520.inv.
Ann Majeske
Honored Contributor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Are you sure that you have V5.1 and not V5.1A installled on your system? The Enhanced Security subsets are part of the base OS and you should use the subsets that came with the version of the OS that you are using.

You must reboot the system after turning on Enhanced Security so that everything can sync up and use the Enhanced Security databases.

Ann
Ann Majeske
Honored Contributor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Sorry, I didn't see your last reply. You have the proper subsets installed for V5.1A. I don't think you need to reinstall them, I think you just need to reboot. The matrix.conf file should be updated automatically on reboot.

Ann
Ryan Sheen
Occasional Visitor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1


Thanks Ann for confirming the OSFC2SEC520 is the right subsets. I was pretty ignorant to think it might for 5.2 rather than 5.1.

I did reboot the system after running secconfig, twice. The matrix.conf did not get updated both times.

Anyway, I updated the matrix.conf using the default C2 matrix.conf I found on the net. I am still in testing and things are looking much better at this point.

Ann Majeske
Honored Contributor
Solution

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Hi Ryan,

If you just copied over the matrix.conf it will probably change back on reboot. You could look into using the siacfg command to get your changes to persist across reboots.

Another thing to try, if you have the time and access, would be to go back to Base security, reboot, and then enable Enhanced Security again and reboot again. This could clear the problem if it was just a transitory problem with secconfig.

I also recommend that you make sure you've got the most up to date patches installed. I don't remember any in particular that would help this problem, but it wouldn't hurt.

Ann
Ryan Sheen
Occasional Visitor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Hi Ann

Thanks for the suggestions. I tried the siacfg and it failed on me. The version of siacfg on that machine requires PERL 5.004 and the PERL compiler available is of version 5.003 only. That would explain why the matrix.conf never got changed since 2001 despite the security flip flopped between Basic and Enhanced security modes several times.

I rebooted the machine and the matrix.conf remained the same, probably for the same reason.

Ann, I have a follow-up question regarding to the length of the password in Enhanced mode asked by ziad http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=835810
You suggested changing the value of u_oldcrypt to something other than 2. I tried a couple things and found it works when I set the value of u_newcrypt to 32. What is the correlation between the u_old/newcrypt values and the length of the password allowed? Shall the values of u_oldcrypt and u_newcrypt be the same always?

Thanks,
Ann Majeske
Honored Contributor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1

Hi Ryan,

I'm not sure why a u_newcrypt value of 32 would work, since that value is undefined. The crypt values currently defined for Enhanced Security are defined in /usr/include/prot.h, they are:
AUTH_CRYPT_BIGCRYPT 0 - Use bigcrypt
AUTH_CRYPT_CRYPT16 1 - Use crypt16
AUTH_CRYPT_OLDCRYPT 2 - Use crypt
AUTH_CRYPT_C1CRYPT 3 - Use crypt and store the password in /etc/passwd

A crypt value of 1 will get you a password up to 16 characters long and 0 will get you up to 80 characters.

Just FYI, the crypt value of 3 doesn't work all that well, some of the hooks to get the password into the /etc/passwd file instead of the Enhanced Security profile are missing.

You can define your own crypt values and associated routines to do your own encryption. To do this you would use a negative number for the crypt value and create a site callout program, See the entry for "d_pw_site_callout" in the default man page and the example site callout program:
http://users.rcn.com/spiderb/sec/site-pwpolicy.c.txt

Ann
Ryan Sheen
Occasional Visitor

Re: Does enhanced security subset OSFC2SEC520 work on OSF 5.1


I believe the PERL version of the system is not correct. Therefore the matrix.conf was not updated properly during secconfig.

One more thing to be added to the checklist: make sure the PERL version matches the sigcfg.

Thanks Ann and BL again.