HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Changing Untrusted system to Trusted System

 
SOLVED
Go to solution
PVM_2
Occasional Contributor

Changing Untrusted system to Trusted System

Hi,

I have server running on HP-UX 11.23 .Can anybody tell how to change Untrusted system to Trusted System.If i am changing system to trusted system, application will get affect or no???...

Regards,
PVM.
6 REPLIES
Ismail Azad
Esteemed Contributor

Re: Changing Untrusted system to Trusted System

Hi PVM,

Use the command /usr/lbin/tscovert to convert to a trusted system although it is always advisable to use SAM for conversion to a trusted system. This would create a /tcb structure and would harden your system in terms of user accounts. If you have the Trusted migration product you can also make use of the SMSE database.

On SAM on auditing and security you should see the option to "convert" to a trusted system. On a modern 11.31 operating system this type of conversion is pretty much an outdated form of hardening your system in terms of the user account aspect.

Regards
Ismail Azad
Read, read and read... Then read again until you read "between the lines".....
Matti_Kurkela
Honored Contributor
Solution

Re: Changing Untrusted system to Trusted System

To change a 11.23 system to Trusted System mode:
Start SAM, select "Auditing and Security" -> "System Security Policies".
SAM should automatically show you a prompt: "The system is not in trusted mode. Before applying security policies, the system must be converted to trusted mode...
Do you want to convert the system to trusted mode? (Yes/No)"
If you answer Yes, SAM will automatically convert the system to Trusted System mode.

If your application does not use HP-UX system passwords or any other authentication information, it will not be affected at all.

If the application uses PAM libraries to perform authentication, it will most likely not be affected at all.

But if the application expects to read password hashes from /etc/passwd (either by reading the file directly, or by using getpwent()/getpwuid()/getpwnam() system calls) and cannot support the getprpwent()/getprpwuid()/getprpwnam() system calls specific to Trusted System mode, the authentication functions of the application will fail.

In untrusted mode, a HP-UX system only stores the first 8 characters of each password: the rest are ignored. In trusted mode, the system can support longer passwords, so the characters after the 8th will no longer be ignored.

If your users are currently using a password that is longer than 8 characters, that password will not be accepted after the conversion to Trusted System mode is complete. The workaround for the users is to log in typing only the first 8 characters of their passwords, then use the "passwd" command to change the password (entering only the first 8 characters to the "old password" prompt and normally to the rest of the prompts). After the password has been changed once, all passwords (even ones longer than 8 characters) should again work as expected.

MK
MK
PVM_2
Occasional Contributor

Re: Changing Untrusted system to Trusted System

Hi,

I want to lock the user, when he tries to login multiple times(wrong username and passwd).Is there any way.I have HP-UX 11.23.
System is running in untrusted mode.

Regards
PVM.
Bill Hassell
Honored Contributor

Re: Changing Untrusted system to Trusted System

No, an standard (untrusted) system does not keep a count of the number of failed logins. That is one of the reasons to convert to a Trusted system.


Bill Hassell, sysadmin
grahamswilson
Trusted Contributor

Re: Changing Untrusted system to Trusted System

...except if you use the Standard Mode Security Extensions (SMSE) instead of Trusted mode...

I know this also can track failed logins and lockout accounts after a pre-defined number - just like what Trusted Mode can do.

Using this would mean you wouldn't have to change into trusted mode.

I haven't used SMSE on 11iv2 (but I know you can use it), but on 11iv3 it works well...

It requires the use of /etc/shadow...
James R. Ferguson
Acclaimed Contributor

Re: Changing Untrusted system to Trusted System

Hi:

Be advised that 11.31 (11iv3) is the last release to support a Trusted System. See the manpages for 'getprpw (1M)'.

Regards!

...JRF...