1745832 Members
4194 Online
108723 Solutions
New Discussion юеВ

Re: shadow vs trusted

 
David Bellamy
Respected Contributor

shadow vs trusted

hi all,

i have a system that i have to protect the passwd file, but dont want to trust. is there a way to implement some sort of shadow passwd file on a regular unix system without having to convert to a trusted system

thx in advance
4 REPLIES 4
Patrick Wallek
Honored Contributor

Re: shadow vs trusted

There is no shadow password file on HP-UX. It is available on sun solaris though. Other than converting your system to trusted, there is not a way I know of the protect the password file from prying eyes.

Re: shadow vs trusted

Why not trust the system?

Do you use NIS? (this is the only reason I can think of for avoiding a trusted system)

I am an HPE Employee
Accept or Kudo
David Bellamy
Respected Contributor

Re: shadow vs trusted

thx for the responses,
the reason we didnt want to implement a trusted system had to do with passwd syncing, etc for a serviceguard environment, also its sister node in that environment runs peoplesoft, which is not C2 certified
Christopher Caldwell
Honored Contributor

Re: shadow vs trusted

trusted and C2 aren't the same thing. Just because it's trusted, doesn't mean you mean you meet the governments C2 certification criteria.

In HP'ese, if you are Trusted and you employ all of the safeguards required by the government, the you're C2. Many of the requirements have to do with auditing and the like (things you get by being trusted, but not necessarily things you have to use when you are trusted). If your not DOD or DOE, you shouldn't have to worry about C2.

Given that, Trusted and Shadow are fairly similar. It's certainly possible to keep password sync'd between trusted/non-trusted system; it just might be a little harder. Just as there are password extraction capabilities for non-trusted systems, there are similar capabilities for trusted systems:
see
man getprpwent
vs
man getpwent

You can use these capabilites to keep things in sync.

Usually if a vendor doesn't run on a trusted system, it's because they haven't taken the 10 minutes required to conditionally reference the trusted system library calls and link to a library :-(.