HPE Community
Operating System - HP-UX
1752591 Members
3024 Online
108788 Solutions
New Discussion юеВ

Convert Solaris passwords to HP-UX

 
Bob_165
Frequent Advisor

тАО11-30-2006 09:03 AM

тАО11-30-2006 09:03 AM

Convert Solaris passwords to HP-UX

I'm trying to migrate from a Solaris system to HP-UX.
My simple try at this was to create a user on the HP box then cut and paste the SUN's /etc/shadow password into the new users /etc/passwd file on the HP. I didn't work.
So I beleive Solaris keeps their hashed passwd in a different format then that of HP-UX. I've googled arround and I beleieve that SUN uses DES hashing and HP-UX uses MD5.
Is there a way to convert these passwords?
I've looked through pam and couldn't find anything.

Thanks in advance for any help!
0 Kudos
15 REPLIES 15
A. Clay Stephenson
Acclaimed Contributor

тАО11-30-2006 11:53 AM

тАО11-30-2006 11:53 AM

Re: Convert Solaris passwords to HP-UX

I rather doubt that that is your problem although since you haven't bother to identify your HP-UX version or the security setting, it's difficult to know. HP-UX doesn't normally use shadowed passwords per se but rather a Trusted Database. It also commonly uses the traditional /etc/passwd file and this is referred to as "untrusted" mode. Look to see if you have a filetree under /tcb. For example, the password hash for user mmouse is stored under /tcb/files/auth/m/mmouse along with other attributes such as time of last login.

The other gotcha is that HP-UX uses an optional bigcrypt() function to encode passwords whose plaintext exceed 8 characters. This behavior can be changed use PAM modules but it's a non-trivial exercise.
If it ain't broke, I can fix that.
0 Kudos
Bob_165
Frequent Advisor

тАО11-30-2006 03:31 PM

тАО11-30-2006 03:31 PM

Re: Convert Solaris passwords to HP-UX

Thanks for the reply.

The HP system is not trusted.

I am migrating from Solaris to HP-UX. The Solaris keeps the password in the /etc/shadow file for example:
jgarza:gXU9S9EyMLFvg:13102::::::

BTY: This password is caddy670 on the Solaris.

The Solaris /etc/passwd file for the same user is:
jgarza:x:1089:15:Johnny Garza:/usr/users/jgarza:/bin/csh

Forgetting the /home dir and the shell info. I am simply trying to move the passwords. The rest I can modify via a vi replace.

The question is; how to I get the Solaris hashed password to be recognized by HP-UX?

I have even tried to install the HP shadow patch thinking that it may do something to the hashing (encryption).No dice.

I have searched and searched; it is hard to believe no one has migrated from a Solaris to and HP without resetting all the passwords. In my case it is over 200.

I have migrated from SCO to HP; and True64 to HP all with no problems.

This forum has always had the answers. I use it all the time. I have searched and can not find anything even close. Google has nothing either.

I keep thinking that SUN is using a different hashing method???

HELP!!
0 Kudos
BUPA IS
Respected Contributor

тАО11-30-2006 07:52 PM

тАО11-30-2006 07:52 PM

Re: Convert Solaris passwords to HP-UX

hello,
does this help ? you do not say what the solaris release is . it might be easier to fix them at the solaris end .

http://learningsolaris.com/archives/2006/01/19/password-hashing-algorithm/

http://www.sun.com/software/whitepapers/solaris9/pam.pdf

you would probably have to do a full install of solaris 9 2 to get there . Change the encryption algorithim. Then get everybody to change their password. Then copy the files across.
good luck
Mike .
Help is out there always!!!!!
0 Kudos
Darren Prior
Honored Contributor

тАО11-30-2006 09:00 PM

тАО11-30-2006 09:00 PM

Re: Convert Solaris passwords to HP-UX

Hi Bob,

If you have an untrusted HP-UX system and shadow passwords on the Solaris system then you will need to move the encrypted passwords into the /etc/passwd file. In your example:

/etc/shadow file:
jgarza:gXU9S9EyMLFvg:13102::::::

/etc/passwd file:

jgarza:x:1089:15:Johnny Garza:/usr/users/jgarza:/bin/csh

This will need to become the following /etc/passwd entry:

jgarza:gXU9S9EyMLFvg:1089:15:Johnny Garza:/usr/users/jgarza:/bin/csh

However, if appears that your uids do not match - this may or may not be a concern to you.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Bob_165
Frequent Advisor

тАО12-01-2006 02:29 AM

тАО12-01-2006 02:29 AM

Re: Convert Solaris passwords to HP-UX

Hi Mike--

The Sun Solaris version is an old 5.6!
Upgrading the Sun system is not an option.

But you do bring up a point. The HP system is new (no users yet) So that brings up what I was looking at earlier --changing the authentication hashing routine via pam.

The /etc/pam.conf points to libpam_unix.1

# Authentication Management
#
dtaction auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1

Under the /usr/lib/security there are these files:

libpam_authz.1 libpam_krb5.1 libpam_ntlm.1 libpam_updbe.1
libpam_dce.1 libpam_ldap.1 libpam_unix.1

I am wondering if unix.1 is MD5 and dce.1 is DES??

Darren---that was the first thing I tried..

Thanks for the replies so far!!
0 Kudos
Bob_165
Frequent Advisor

тАО12-01-2006 03:18 AM

тАО12-01-2006 03:18 AM

Re: Convert Solaris passwords to HP-UX

Well---I tried changing the one line in pam.conf:

login auth required /usr/lib/security/libpam_unix.1

To each one of these:
libpam_authz.1 libpam_krb5.1 libpam_ntlm.1 libpam_updbe.1
libpam_dce.1 libpam_ldap.1

No luck---I knew ldap.1 would not work.
Some actually let you in without a password.
I did try the HP-UX shadow patch. That did not change the hashing.
So I'm still stuck.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

тАО12-01-2006 03:53 AM

тАО12-01-2006 03:53 AM

Re: Convert Solaris passwords to HP-UX

Try this on both your Solaris box and your HP-UX box for a single known user. If you haven't created a user on the HP-UX end, do so now (or you can simply use root):

Examine the password hash and note the 1st 2 characters (the "salt"). Next run this Perl one-liner:

perl -e 'print crypt("secret","Eb"),"\n";'

where "secret" is the plaintext password and "Eb" is the salt mentioned above. The output will be the password hash. When these two match on box boxes, you have equivalent password hashing.
If it ain't broke, I can fix that.
0 Kudos
Darren Prior
Honored Contributor

тАО12-01-2006 04:02 AM

тАО12-01-2006 04:02 AM

Re: Convert Solaris passwords to HP-UX

Is Solaris using crypt for shadow passwords though? HP-UX uses bigcrypt for trusted systems, so those encrypted passwords would be no use on a non-trusted system. In the same way, if Solaris is not using crypt then you'll not be able to use the same encrypted passwords.

Looking at this from another angle, why don't you make people enter new passwords? It's generally considered good security to change passwords on a regular basis.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Bob_165
Frequent Advisor

тАО12-01-2006 04:54 AM

тАО12-01-2006 04:54 AM

Re: Convert Solaris passwords to HP-UX

Clay,

That's a good test except they do not have perl on the Solaris system.

I pretty sure that will tell me what I already know..the hashing is different between a Solaris 5.6 and HP-UX.
I was hoping there is something I could change on HP-UX to translate the Solaris hashed password. I had hoped it was in the pam.conf. It may still be. I have got to do some more research on those pam lib files

Daren,

I doubt they are running anything but striaght Solaris 5.6, with no extra crypting.

On the HP side I've tried untrusted..but not trusted. I'll try that this afternoon and stick the password from the Solaris /etc/shadow into the approprate HP-UX /tcb/auth file.

While I agree it's a good practice to change the passwords every 90 days or so. It is just not the best time to do this when you are going live on a new system.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.