HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Migrating user from trusted hp-ux to untrusted hp-ux

 
SOLVED
Go to solution
Haris Hashim
Occasional Visitor

Migrating user from trusted hp-ux to untrusted hp-ux

Referring to

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1259823029263+28353475&threadId=1212160

Solution suggested in the discussion is for migrating from trusted system to another trusted system.

However I am trying to do the same but to migrate to untrusted system.

My opinion is that the only different is /etc/passwd is * instead of the encrypted password.

In trusted system, encrypted password is in tcb file structure.

My question is:

1. Is it possible to use encrypted password in the tcb file structure but in /etc/passwd. Will this work in untrusted system?

2. Is there any script that do this. I.e migrate user from trusted hp-ux machine to untrusted hp-ux machine.

3. If there is no such script, any advice for me if I'm going to write it.

My objective is to migrate the user exactly as it is configured in the trusted server. Would like to do this without any impact to the trusted server. For instance, not looking forward to make the trusted server to untrusted and then copying /etc/passwd ... or such.

Thanks in advance!
7 REPLIES
smatador
Honored Contributor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

Hi,
You could perhaps migrate user from trusted to trusted and after that untrusted them with tsconvert -r
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=839509

You could test to untrusted your trusted hpux, get a copy of the /etc/passwd and after that re-trusted it.
HTH.
Haris Hashim
Occasional Visitor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

Helo smatador,

I proceed with the step as in migrating user from trusted to trusted.

It works. Eventhough I am migrating user from trusted to untrusted system.

I guess it boils down to this:

1. If /etc/passwd have * in the password field. In untrusted system, the account should be blocked.

HOWEVER

2. After copying the tcb folder structure. Having * in /etc/passwd does not block the user if there the user exist in tcb file structure


Can anyone confirm this? I think this is what happen in my case. But not sure about it.

Thanks in advance!
Bill Hassell
Honored Contributor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

For an untrusted system, the * is just one of any character strings less than 13 that will disable a user's login. The password string in the trusted system would be the same as long as the current password is 8 or less characters. If the password is longer than 8, thene there is no way to use the password from the /tcb directory. You can also see this in the /tcb database of user IDs. The encrypted string following u_pwd= must be exactly 13 characters followed by the : character. If it is 26 characters, then the password is more than 8 characters and you will have to give the user a new password on the untrusted system.


Bill Hassell, sysadmin
Haris Hashim
Occasional Visitor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

Hello Bill Hassel,

I think you are replying to my first post. The way I understand it is:

1. If upon checking encrypted password in the tcb structure, it is exactly 13 character. In this situation I can copy the encrypted password from tcb structures to /etc/passwd. And it will work!

2. If upon checking encrypted password in the tcb file structure, it is more than 13 characters (which is exactly 26 characters). This means that the encrypted password can not be copied into /etc/password as it will not work.

Thanks for you answer to my original post.

However, I have follow the step that involve copying tcb file structures. And it looks like doing so solve my problem.

Possibly because copying the tcb file structure to untrusted system cause the system to be automatically become trusted.

Appreciate it if someone can confirm this.

TIA
Haris


Matti_Kurkela
Honored Contributor
Solution

Re: Migrating user from trusted hp-ux to untrusted hp-ux

The HP-UX system decides whether it's currently trusted or not by checking if the file /tcb/files/auth/system/default exists. If it exists, the system is trusted; if not, it isn't.

So if you copy the entire /tcb file hierarchy from a trusted system to an untrusted one, including /tcb/files/auth/system/default, that makes the second system trusted too.

----

If you get the encrypted password strings from the /tcb file structure and move them to /etc/passwd, it will sort of work _if and only if_ the user's passwords are 8 characters long or shorter.

The trusted system mode uses an expanded version of traditional Unix password hashing algorithm. If the password is 8 characters or less, the encryption result is compatible with the traditional algorithm; but if the password is longer than that, the algorithm will produce an incompatible extended password hash.

When the HP-UX system is in untrusted mode, the password hashing algorithm used in /etc/passwd is strictly the traditional one. If a trusted-mode encrypted password (with unencrypted length of 9 or more characters) is copied to /etc/passwd, logging in to that account becomes impossible until the password is changed.

In the non-trusted mode, the user can type more than 8 characters into the password prompt - but only the first 8 characters will be passed to the encryption process, producing a standard-length Unix password hash. This hash will then be compared with the stored password hash: if they match, the password is accepted. But if an extended password hash is copied to /etc/passwd, the encrypted strings will not be of equal length and the comparision will always fail.

MK
MK
Haris Hashim
Occasional Visitor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

Thanks! Exactly the answer I am looking for.

Haris Hashim
Occasional Visitor

Re: Migrating user from trusted hp-ux to untrusted hp-ux

All the answers are great. The one by Matti Kurkela give an insight and confirm my findings.