Operating System - HP-UX
1748226 Members
4573 Online
108759 Solutions
New Discussion

Problem logging in after running "pwconv" on hp-ux 11i v3

 
ashutosh99
Frequent Advisor

Problem logging in after running "pwconv" on hp-ux 11i v3

Hi All,

 

I recently upgraded one of my Integrity VM to 11i v3. My original system was a trusted on and after the upgrade it remained the same. I faced no problems till now.

 

HP recommends not to use trusted mode with 11i v3 and rather use shadow passwords like other UNIX systems. So, I unconverted my system to untrusted mode using "/usr/lbin/tsconvert –r". After that I created shadow file using "pwconv".

Now, no one can log in to the VM. 

 

I've been unable to pin point the problem. Please, help me resolve this problem.

 

Regards,

Ashutosh

5 REPLIES 5
Matti_Kurkela
Honored Contributor

Re: Problem logging in after running "pwconv" on hp-ux 11i v3

What was the length of your passwords?

 

If your users were using passwords longer than 8 characters, the "tsconvert -r" would cause the system to truncate the stored passwords to 8 characters, since the traditional mode (non-trusted, non-shadowed) can only store passwords of 8 characters or less. In traditional mode, the extra characters are typically ignored, so the problem will become apparent only after switching out of the traditional mode (either to trusted mode or to shadow mode).

 

The shadow mode in 11iv3 can use longer passwords if the optional LongPassword 11i3 package is installed:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=LongPassword11i3

 

Note, if your 11iv3 release is older than March 2009, you'll also need another package before LongPassword11i3 can be installed:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PHI11i3

 

Have your users type only the first 8 characters of their old passwords when logging in. After logging in, they should be able to again set a full-length password using the "passwd" command, as usual.

MK
ashutosh99
Frequent Advisor

Re: Problem logging in after running "pwconv" on hp-ux 11i v3

Hi Matti,

Thanks for pointing me in the right direction. I wanted to know if I convert my system from TRUSTED to NON-TRUSTED, does the system changes the password hashes according to the maximum no. of characters that particular mode can accept?

eg. if my password for TRUSTED system is "ashutosh123", will the NON-TRUSTED system accept my password "ashutosh123" or can it accept all these "ashutosh", "ashutosh123456", "ashutosh#####".

Regards,
Ashutosh Singh
Matti_Kurkela
Honored Contributor

Re: Problem logging in after running "pwconv" on hp-ux 11i v3

The standard password hash algorithm for the trusted mode is bigcrypt(), which hashes the password in 8-character blocks.

The resulting bigcrypt() password hash contains 2 characters of salt, and then one or more blocks of 11 characters, each of which correspond to a group of 8 characters in the password. Any password of 8 characters or less will be hashed to a 13-character string (2-character salt + 1 block), any password that is 9..16 characters in length will be hashed to a 24-character string (2-character salt + 2 blocks), and so on, up to a length of 10 blocks.

 

When a system is converted from trusted to non-trusted, the password hashes longer than the traditional 13 characters are truncated to exactly 13 characters. With bigcrypt(), this simply means that the extra blocks at the end are removed, and the remaining is a valid hash of the first 8 characters of the user's password, which is compatible with the traditional Unix crypt() password hash algorithm.

 

So, yes. If you've set "ashutosh123" as your password while the system is in trusted mode, and then convert the system to non-trusted mode, the system will certainly accept "ashutosh" and will most likely also accept "ashutosh123", "ashutosh123456", and "ashutosh#####", although this may somewhat depend on which login method you're using.

 

But when you convert from non-trusted mode to shadow mode, the 8-character restriction of the traditional mode is removed again. Although the longer passwords can be stored only if the SHA512-based password hash algorithm is enabled, the rest of the password verification code will check all the characters, not just the first 8.

 

Unfortunately you cannot convert directly from trusted mode to shadow mode: you must go through the traditional non-trusted mode, and have your password hashes truncated before you can switch to shadow mode. After that, if you're trying to log in using your original password "ashutosh123" and the truncated password hash indicates the right password is just "ashutosh", the system might not allow you to log in.

MK
ashutosh99
Frequent Advisor

Re: Problem logging in after running "pwconv" on hp-ux 11i v3

Thanks Matti for the detailed explanation. I'm thinking there must be a way to convert a system from tradition modes (it doesn't matters whether the system is trusted or not) to shadow mode. I'll always have users who have passwords greater than 8 characters and HP surely can't expect me to change each users password after I change the system to use shadow password.

Also, can you please let me know the source of your information above? I want to know more about this and I've not found any resource discussing this topic.

Regards,
Ashutosh
Dennis Handly
Acclaimed Contributor

Re: Problem logging in after running "pwconv" on HP-UX 11.31

>I'm thinking there must be a way to convert a system from tradition mode

 

The command pwconv(1M) only takes its info from /etc/passwd.

 

>can't expect me to change each users password after I change the system to use shadow password.

 

It can't expect you because it is impossible with the current two step process, which has the limitation of passwd(4).

>can you please let me know the source of your information above?

 

pwconv(1M) mentions how it works.