HPE Community
Operating System - HP-UX
1753774 Members
7136 Online
108799 Solutions
New Discussion юеВ

trusted systems

 
andrew medhurst
Advisor

тАО10-16-2004 10:09 PM

тАО10-16-2004 10:09 PM

trusted systems

guys i have an urgent request, i have a passwd file that seems to have password still in some users but most are in relevant tcb files this is production so i would rather not untrust and retrust whole system as it will expire all passwords.
I believe that there is a way of converting the users in question with one be one( there are only about 10 users that need this) and then unexpiring the users passwords perhaps using modprpw command.
i have never before tried this and wondered if some one can give me some advice on correct command and usage.
regards
andrew
0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

тАО10-16-2004 10:45 PM

тАО10-16-2004 10:45 PM

Re: trusted systems

There is no way to convert a single user to trusted mode. It is an all-or-none deal!

Do the users that have entries in the passwd file also have a /tcb/files/auth/?/username entry? If so, just delete the encrypted passwd out of /etc/passwd. If not, I would consider removing and re-adding those particular users.

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО10-16-2004 10:57 PM

тАО10-16-2004 10:57 PM

Re: trusted systems

Hi Andrew,

If you see encrypted strings in the password field of /etc/passwd for some users, there is no need to worry. It is not going to affect the users. Only the encrypted strings in their corresponding tcb files will be used.

If you still want to synchronize the passwords of /etc/passwd to tcb files of those users, then there is a way. Grag the encrypted string from /etc/passwd and use the command

/usr/sbin/lbin/usermod.sam -p ""

The above won't work if the user is active.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО10-17-2004 01:55 AM

тАО10-17-2004 01:55 AM

Re: trusted systems

There is no loss of function if you take the whole system trusted. Security benefits and there is little downside.

It is also possible to go with shadow passwords which stores passwords in the /etc/shadow file.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

This really provides the shadow functionality but still leaves a single file for hackers to get and crack. It does give you the functionality wihtout the audit and other features of trusted systems that can fill up a hard disk.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Tyler Easterling_1
Occasional Advisor

тАО10-17-2004 06:41 AM

тАО10-17-2004 06:41 AM

Re: trusted systems

Hi Andrew,

If you're only concerned about password experation you can run /usr/lbin/modprpw -V and the tsconvert will not expire passwords.

Tyler
0 Kudos
Reply
andrew medhurst
Advisor

тАО10-17-2004 08:52 PM

тАО10-17-2004 08:52 PM

Re: trusted systems

Thanks for the email i found a way around it there is a command pwconv that checks the passwd files and the /tcb/files/auth directory and if they dont match moves only the entry's out of passwd to tcb directory i then ran the modprpw command to unexpire the passwords and all is now ok.
thanks for all the help i have assigned points.

regards
Andrew
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.