HPE Community
Operating System - HP-UX
1753335 Members
5430 Online
108792 Solutions
New Discussion юеВ

Re: Changing Untrusted system to Trusted System

 
SOLVED
Go to solution
PVM_2
Occasional Contributor

тАО04-10-2011 11:16 PM

тАО04-10-2011 11:16 PM

Changing Untrusted system to Trusted System

Hi,

I have server running on HP-UX 11.23 .Can anybody tell how to change Untrusted system to Trusted System.If i am changing system to trusted system, application will get affect or no???...

Regards,
PVM.
0 Kudos
Reply
6 REPLIES 6
Ismail Azad
Esteemed Contributor

тАО04-11-2011 01:39 AM

тАО04-11-2011 01:39 AM

Re: Changing Untrusted system to Trusted System

Hi PVM,

Use the command /usr/lbin/tscovert to convert to a trusted system although it is always advisable to use SAM for conversion to a trusted system. This would create a /tcb structure and would harden your system in terms of user accounts. If you have the Trusted migration product you can also make use of the SMSE database.

On SAM on auditing and security you should see the option to "convert" to a trusted system. On a modern 11.31 operating system this type of conversion is pretty much an outdated form of hardening your system in terms of the user account aspect.

Regards
Ismail Azad
Read, read and read... Then read again until you read "between the lines".....
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО04-11-2011 01:45 AM

тАО04-11-2011 01:45 AM

Solution

Re: Changing Untrusted system to Trusted System

To change a 11.23 system to Trusted System mode:
Start SAM, select "Auditing and Security" -> "System Security Policies".
SAM should automatically show you a prompt: "The system is not in trusted mode. Before applying security policies, the system must be converted to trusted mode...
Do you want to convert the system to trusted mode? (Yes/No)"
If you answer Yes, SAM will automatically convert the system to Trusted System mode.

If your application does not use HP-UX system passwords or any other authentication information, it will not be affected at all.

If the application uses PAM libraries to perform authentication, it will most likely not be affected at all.

But if the application expects to read password hashes from /etc/passwd (either by reading the file directly, or by using getpwent()/getpwuid()/getpwnam() system calls) and cannot support the getprpwent()/getprpwuid()/getprpwnam() system calls specific to Trusted System mode, the authentication functions of the application will fail.

In untrusted mode, a HP-UX system only stores the first 8 characters of each password: the rest are ignored. In trusted mode, the system can support longer passwords, so the characters after the 8th will no longer be ignored.

If your users are currently using a password that is longer than 8 characters, that password will not be accepted after the conversion to Trusted System mode is complete. The workaround for the users is to log in typing only the first 8 characters of their passwords, then use the "passwd" command to change the password (entering only the first 8 characters to the "old password" prompt and normally to the rest of the prompts). After the password has been changed once, all passwords (even ones longer than 8 characters) should again work as expected.

MK
MK
Reply
PVM_2
Occasional Contributor

тАО04-11-2011 03:49 AM

тАО04-11-2011 03:49 AM

Re: Changing Untrusted system to Trusted System

Hi,

I want to lock the user, when he tries to login multiple times(wrong username and passwd).Is there any way.I have HP-UX 11.23.
System is running in untrusted mode.

Regards
PVM.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-11-2011 02:32 PM

тАО04-11-2011 02:32 PM

Re: Changing Untrusted system to Trusted System

No, an standard (untrusted) system does not keep a count of the number of failed logins. That is one of the reasons to convert to a Trusted system.


Bill Hassell, sysadmin
0 Kudos
Reply
grahamswilson
Trusted Contributor

тАО04-22-2011 11:07 AM

тАО04-22-2011 11:07 AM

Re: Changing Untrusted system to Trusted System

...except if you use the Standard Mode Security Extensions (SMSE) instead of Trusted mode...

I know this also can track failed logins and lockout accounts after a pre-defined number - just like what Trusted Mode can do.

Using this would mean you wouldn't have to change into trusted mode.

I haven't used SMSE on 11iv2 (but I know you can use it), but on 11iv3 it works well...

It requires the use of /etc/shadow...
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО04-22-2011 12:53 PM

тАО04-22-2011 12:53 PM

Re: Changing Untrusted system to Trusted System

Hi:

Be advised that 11.31 (11iv3) is the last release to support a Trusted System. See the manpages for 'getprpw (1M)'.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.