Operating System - HP-UX
1748038 Members
5087 Online
108757 Solutions
New Discussion юеВ

Trusted system after pwconv

 
Timothy Nibbe
Advisor

Trusted system after pwconv

I have a system running 11i v2 that has had the pwconv command ran on it to create shadow passwords.

I want to convert the system to a Trusted system, and SAM will not allow me to do this because of the shadow passwords.

Can a system that has had the pwconv command ran on it be converted to a Trusted system?
7 REPLIES 7
Kapil Jha
Honored Contributor

Re: Trusted system after pwconv

u have to do pwunconv and then convert to trusted.
system with shadow passwd can not be trusted.
BR,
Kapil
I am in this small bowl, I wane see the real world......
James R. Ferguson
Acclaimed Contributor

Re: Trusted system after pwconv

Hi Timothy:

You either run a shadow password implementation or a TCB one. If you wish to transition to TCB, you can run 'pwunconv(1m)' to disable shadow passwords and then convert to a TCB.

I would point out that as of 11.31, Trusted system implementations are deprecated.

Bill Hassell has some good comments in this thread:

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1214608

Regards!

...JRF...

Kapil Jha
Honored Contributor

Re: Trusted system after pwconv

>>system with shadow passwd can not be trusted
should be

>>system with shadow passwd can not be TCB

this could make sm difference in understanding ;)

Kapil
I am in this small bowl, I wane see the real world......
Timothy Nibbe
Advisor

Re: Trusted system after pwconv

Thanks.

I was needing to implement account lockout after n login failures and the only way I could see to do that was to go to Trusted mode.
Bill Hassell
Honored Contributor

Re: Trusted system after pwconv

Actually, there is a new package for 11.23 and later called Standard Mode Security Extension (SMSE). Trusted is the best choice as it has a large set of controls for authentication but old applications often do not use PAM and assume all Unix boxes have a shadow password file. SMSE adds the needed enhancements but retain a more compatible interface for the old stuff.


Bill Hassell, sysadmin
Emil Velez
Honored Contributor

Re: Trusted system after pwconv

Standard Mode Security Extensions SMSE

provides you most of the features of trusted systems really except for generating passwords. You can restrict certain users to certain passwords. you can lock the account after a certain number of retries. It is configured with a command called

userdbset and userdbget look them up.

If you attend the HPUX Security class we cover the features there.
Timothy Nibbe
Advisor

Re: Trusted system after pwconv

Thank you very much.