Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Is there a shadow password file with secsetup?

SOLVED
Go to solution
Linda Card
Frequent Advisor

Is there a shadow password file with secsetup?

I ran secsetup on my Tru64 4.0g machine. I editted the default file in with the minchg, minleng u_nullpw and a few others. I thought I was done. But where are my encrypted passwords, no shadow file. Hmmmm.
Then I noticed that when I created a new user (fred) using the admin daily - acct mgmt, my new user got an entry in /etc/passwd but he was not in /tcb/files/auth/f.
I dug thru the SecManual again and found convauth. I ran it -d df -v and now have some new files with .db including my default. And now when I add a new user (linda), I still don't get a /tcb/files/auth/l/linda file but I can see it in the db by using "grep linda auth.db"

Question: So should I have run the convauth immediately after the secsetup to keep things tidy?

Question: Is there another process that I need to run on the 4.0g box to further enhance my security?

Thank you,
Linda
5 REPLIES
Ann Majeske
Honored Contributor
Solution

Re: Is there a shadow password file with secsetup?

For V4.0G secsetup should be all that you need. It can be used to go both from Base to Enhanced Security and Enhanced to Base Security. Starting in V4.0 the extended profiles are stored in the auth.db files, not the /tcb/files/auth... tree, you must be a real old-timer to remember those files from the V3.* days :) The extended profiles in the auth.db files should have been created by secsetup (it runs convauth automatically), you shouldn't have to run convauth by hand. You can use the "/usr/tcb/bin/edauth" command to see the contents of the auth.db file. Your system isn't running Enhanced Security unless you've got auth.db files and your matrix.conf file has been updated to use the Enhanced Security library AND you have rebooted. secsetup should take care of the first two, so I'm not quite sure what's going on.

A few things to check to see where things went wrong:
1) Are you sure you answered the secsetup questions correctly? (I know this sounds like a silly question, but if you accidentally told it to go from Base security to Base security you're not going to get very far :)
2) Did you REBOOT after running secsetup? The system will not be completely running Enhanced Security until after the reboot. (But this wouldn't explain the extended profiles not getting created...)
3) Look at the contents of the /etc/sia/matrix.conf file. Some of the entries will be the same for base or enhanced security, e.g.:
siad_setpwent=(BSD,libc.so)
But for Enhanced Security you should see some entries with the following format:
siad_chg_finger=(OSFC2,/usr/shlib/libsecurity.so)
If you don't have the Enhanced Security entries in the matrix.conf file the system won't use the extended profiles (you aren't running Enhanced Security).
4) What are the exact outputs/entries from secsetup?

Ann



Ann Majeske
Honored Contributor

Re: Is there a shadow password file with secsetup?

My system isn't showing my previous reply, so posting it again. My apologies if you have to look at this twice :)

For V4.0G secsetup should be all that you need. It can be used to go both from Base to Enhanced Security and Enhanced to Base Security. Starting in V4.0 the extended profiles are stored in the auth.db files, not the /tcb/files/auth... tree, you must be a real old-timer to remember those files from the V3.* days :) The extended profiles in the auth.db files should have been created by secsetup (it runs convauth automatically), you shouldn't have to run convauth by hand. You can use the "/usr/tcb/bin/edauth" command to see the contents of the auth.db file. Your system isn't running Enhanced Security unless you've got auth.db files and your matrix.conf file has been updated to use the Enhanced Security library AND you have rebooted. secsetup should take care of the first two, so I'm not quite sure what's going on.

A few things to check to see where things went wrong:
1) Are you sure you answered the secsetup questions correctly? (I know this sounds like a silly question, but if you accidentally told it to go from Base security to Base security you're not going to get very far :)
2) Did you REBOOT after running secsetup? The system will not be completely running Enhanced Security until after the reboot. (But this wouldn't explain the extended profiles not getting created...)
3) Look at the contents of the /etc/sia/matrix.conf file. Some of the entries will be the same for base or enhanced security, e.g.:
siad_setpwent=(BSD,libc.so)
But for Enhanced Security you should see some entries with the following format:
siad_chg_finger=(OSFC2,/usr/shlib/libsecurity.so)
If you don't have the Enhanced Security entries in the matrix.conf file the system won't use the extended profiles (you aren't running Enhanced Security).
4) What are the exact outputs/entries from secsetup?

Ann



Linda Card
Frequent Advisor

Re: Is there a shadow password file with secsetup?

Ann,

I think that I must have fat-fingered it when I ran the secsetup the first time.

/tcb/files is where my auth.db is, though right? I do see the encrypted passwords, too.

I have the /etc/sia/OSFC2_matrix.conf in palce and looks good.

And the default file is in /etc/auth/system, correct? I editted it for minchg, exp and minlength and couple other things to conform with govt standards. Then I noticed that I could see those changes in the GUI App Mgr - Daily Admin - Account Mgr (Run as root) - then click on a user to open it click the security button at the bottom. I see the password length adjust as soon as I write that change to the /etc/auth/system/default file.

Am I on the right track??

Linda
Ann Majeske
Honored Contributor

Re: Is there a shadow password file with secsetup?

I got an error the first time I tried to post this, my apologies if you see it twice.

Hi Linda,

Just to confuse things, there are two auth.db files :) /tcb/files/auth.db and /var/tcb/files/auth.db. /tcb/files/auth.db holds the account information for accounts with uids less than 100, /var/tcb/files/auth.db holds the rest of the accounts. This is so that you have the account information for root and root can log in even in single user mode or a minimal boot where you only have the boot disk present, but you don't have to take space on the boot disk to hold all of the user accounts.

To be running Enhanced Security in V4.0G the /etc/sia/matrix.conf file should either be an exact copy of OSFC2_matrix.conf or it should be a link to OSFC2_matrix.conf, I'm not sure which (it's been a while since I set up a V4.0G system).

Yes, the default file is in /etc/auth/system. The fact that you can see changes to this file reflected in the dxaccounts GUI is a very good sign :) I would be careful making changes to the default file by hand while I had the GUI open though. There may be some cases where you have to exit the GUI and restart it to see any changes to files that you changed by hand.

Ann
Linda Card
Frequent Advisor

Re: Is there a shadow password file with secsetup?

Ann,
Thanks for the clarification on the two auth.db files based on GID. That does clear it up for me.