- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Problem logging in after running "pwconv" on hp-ux...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 12:58 AM
01-29-2013 12:58 AM
Problem logging in after running "pwconv" on hp-ux 11i v3
Hi All,
I recently upgraded one of my Integrity VM to 11i v3. My original system was a trusted on and after the upgrade it remained the same. I faced no problems till now.
HP recommends not to use trusted mode with 11i v3 and rather use shadow passwords like other UNIX systems. So, I unconverted my system to untrusted mode using "/usr/lbin/tsconvert –r". After that I created shadow file using "pwconv".
Now, no one can log in to the VM.
I've been unable to pin point the problem. Please, help me resolve this problem.
Regards,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 03:23 AM
01-29-2013 03:23 AM
Re: Problem logging in after running "pwconv" on hp-ux 11i v3
What was the length of your passwords?
If your users were using passwords longer than 8 characters, the "tsconvert -r" would cause the system to truncate the stored passwords to 8 characters, since the traditional mode (non-trusted, non-shadowed) can only store passwords of 8 characters or less. In traditional mode, the extra characters are typically ignored, so the problem will become apparent only after switching out of the traditional mode (either to trusted mode or to shadow mode).
The shadow mode in 11iv3 can use longer passwords if the optional LongPassword 11i3 package is installed:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=LongPassword11i3
Note, if your 11iv3 release is older than March 2009, you'll also need another package before LongPassword11i3 can be installed:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PHI11i3
Have your users type only the first 8 characters of their old passwords when logging in. After logging in, they should be able to again set a full-length password using the "passwd" command, as usual.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 06:19 AM
01-29-2013 06:19 AM
Re: Problem logging in after running "pwconv" on hp-ux 11i v3
Thanks for pointing me in the right direction. I wanted to know if I convert my system from TRUSTED to NON-TRUSTED, does the system changes the password hashes according to the maximum no. of characters that particular mode can accept?
eg. if my password for TRUSTED system is "ashutosh123", will the NON-TRUSTED system accept my password "ashutosh123" or can it accept all these "ashutosh", "ashutosh123456", "ashutosh#####".
Regards,
Ashutosh Singh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 07:27 AM
01-29-2013 07:27 AM
Re: Problem logging in after running "pwconv" on hp-ux 11i v3
The standard password hash algorithm for the trusted mode is bigcrypt(), which hashes the password in 8-character blocks.
The resulting bigcrypt() password hash contains 2 characters of salt, and then one or more blocks of 11 characters, each of which correspond to a group of 8 characters in the password. Any password of 8 characters or less will be hashed to a 13-character string (2-character salt + 1 block), any password that is 9..16 characters in length will be hashed to a 24-character string (2-character salt + 2 blocks), and so on, up to a length of 10 blocks.
When a system is converted from trusted to non-trusted, the password hashes longer than the traditional 13 characters are truncated to exactly 13 characters. With bigcrypt(), this simply means that the extra blocks at the end are removed, and the remaining is a valid hash of the first 8 characters of the user's password, which is compatible with the traditional Unix crypt() password hash algorithm.
So, yes. If you've set "ashutosh123" as your password while the system is in trusted mode, and then convert the system to non-trusted mode, the system will certainly accept "ashutosh" and will most likely also accept "ashutosh123", "ashutosh123456", and "ashutosh#####", although this may somewhat depend on which login method you're using.
But when you convert from non-trusted mode to shadow mode, the 8-character restriction of the traditional mode is removed again. Although the longer passwords can be stored only if the SHA512-based password hash algorithm is enabled, the rest of the password verification code will check all the characters, not just the first 8.
Unfortunately you cannot convert directly from trusted mode to shadow mode: you must go through the traditional non-trusted mode, and have your password hashes truncated before you can switch to shadow mode. After that, if you're trying to log in using your original password "ashutosh123" and the truncated password hash indicates the right password is just "ashutosh", the system might not allow you to log in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2013 12:42 AM
01-30-2013 12:42 AM
Re: Problem logging in after running "pwconv" on hp-ux 11i v3
Also, can you please let me know the source of your information above? I want to know more about this and I've not found any resource discussing this topic.
Regards,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2013 02:59 AM
01-30-2013 02:59 AM
Re: Problem logging in after running "pwconv" on HP-UX 11.31
>I'm thinking there must be a way to convert a system from tradition mode
The command pwconv(1M) only takes its info from /etc/passwd.
>can't expect me to change each users password after I change the system to use shadow password.
It can't expect you because it is impossible with the current two step process, which has the limitation of passwd(4).
>can you please let me know the source of your information above?
pwconv(1M) mentions how it works.