System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

password history depth in a non-trusted system // converting to a trusted system

SOLVED
Go to solution
sujit kumar singh
Honored Contributor

password history depth in a non-trusted system // converting to a trusted system

Hi
i am running 11.23 server Itanium and RISC both and using the /etc/shadow file. The sytems are not trusted that is are standard systems.
man security says that for password history depth can be implemented to a trusted system only.
PASSWORD_HISTORY_DEPTH=N A new password is checked
against only the N most recently used passwords for a
particular user.

then i need to convert the system to trusted mode.

My questions are:

1) is there any way that i can implement the PAssword History Depth withjout making the system trusted?

2) if i have to make the system trusted how is this going to affect the users on the system and deal with the current /etc/shadow and /etc/passwd files and what are the precautions that i have to keep in fore front doing this.

I have on most of the systems lot of java users and oracle users and java as well as Oracle processes running.

regards
sujit
7 REPLIES
TTr
Honored Contributor
Solution

Re: password history depth in a non-trusted system // converting to a trusted system

Check out the security extensions package. It gives you a subset of a trusted system environment including password history.

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

sujit kumar singh
Honored Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

Hi TTr,

thanks for the reply.
what are the impacts possibly if we are converting to the trusted mode , like i have a prod box with N number of java and oracle users, what should be approach and waht are the challenges possibly going to come, just can some thoughts be shared?

Regards
sujit
TTr
Honored Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

Tghe trusted system is an all or none change. You get a lot of nice features but at the same time you lose some of the functionality of a non-trusted system (telnet, rlogin, ftp etc). You will use additional server resources for monitoring and auditing and will need space, rotation schedules, archiving and review policy for the auditing files. A lot of other functionality that we are all used to will either go away or be reduced to a minimum.

Take a look at the the admin guide for trusted systems for details http://www.docs.hp.com/en/B2355-90121/B2355-90121.pdf

Also in HP-UX 11.31 the trusted systems will go away in favor of the new security model. So , don't get into the trusted system now if you can avoid it and have to get out of it again in the future.
OldSchool
Honored Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

"are standard systems. man security says that for password history depth can be implemented to a trusted system only.
PASSWORD_HISTORY_DEPTH=N A new password is checked..."

They had patches out for 11.0 and up that should enable this without converting to a trusted system.
sujit kumar singh
Honored Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

Hi,

Thanks for the Inputs.

I also need to knoe that if i convert the system to a trusted node,

1) can that be done on the fly that is with the applications and databases running?
2) we have got CRS in the server as running.

So what can be the approach if i wish turning the systen into a trusted one.

i know that the system can be untrusted, but what can be the potential problems if i turn the sytem into trusted mode on the fly/ offline.

How are the logged on users goint to be affected if i do that online?

Sorry if the question sounds stupid.

regards
sujit
TTr
Honored Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

You can convert live and it happens very quickly. However you should not be doing it on a live production system. You can never capture all the services that will get impacted or any inter dependencies. You should be doing it on a test system first with that application running.

If you don't have a test system your other option is to do it during off-peak hours with a few users on that will help you test the trusted system.
G V R Shankar
Valued Contributor

Re: password history depth in a non-trusted system // converting to a trusted system

Once you convert the system, it would ask all the users to change their password. You might want to consider to disable password aging for application users, ftp users etc.

Followng is example

/usr/lbin/modprpw -m mintm=0,lftm=0,exptm=0,expwarn=0 user1

Ravi.