HPE Community
Operating System - HP-UX
1856501 Members
4184 Online
104113 Solutions
New Discussion

changing to trusted mode

 
J_115
Occasional Advisor

‎12-17-2003 09:50 PM

‎12-17-2003 09:50 PM

changing to trusted mode

I have several 10.10 and 10.20 servers in non trusted mode. I intend to use SAM to covvert to trusted mode. I believe that once trusted all the users are going to be prompted to forced to change there password. This will cause me the biggest headache imaginable.

how can i avoid this happening ?

I will also be patching first and have seen on different threads different suggested patches so which are the right ones ?


:-) John.
0 Kudos
Reply
7 REPLIES 7
Hoefnix
Honored Contributor

‎12-17-2003 10:12 PM

‎12-17-2003 10:12 PM

Re: changing to trusted mode

John,

From what I know, converting to a trusted system will enable password aging to a default setting (I think 90 day's). What you can do is 1 or 2 weeks before converting, send all users a message to change their password (max length 8 chars) and then convert the system. This will not avoid a password change for the users, but they will not be prompted to change their passwords all at once(after the tsconvert), because the password's will not be 90 day's old.

regards,

Peter
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-18-2003 12:38 AM

‎12-18-2003 12:38 AM

Re: changing to trusted mode

The Trusted conversion process will invalidate all user passwords. However, you can run modprpw (an undocumented command in the obsolete 10.xx systems) to fix all the entries to start password aging at today's date and enable the current passwords. The man page for modprpw is located at http://docs.hp.com and it is used:

/usr/lbin/modprpw -V

Be sure to get copies of man [ages for modprpw and getprpw. Your man page for authcap is also useful.


Bill Hassell, sysadmin
0 Kudos
Reply
John Carr_2
Honored Contributor

‎12-18-2003 12:51 AM

‎12-18-2003 12:51 AM

Re: changing to trusted mode

John,

I have installed a fresh copy of 10.20 on a workstation created 2 new users. I have changed system to trusted mode using SAM. I have not applied any patches yet

now the system is trusted I have telnet session to system and login as both the new users and have not been asked by the system to change the password.

Could the changing of the password be related to having password aging in place before a conversion to trusted mode.

Bill will probably be able to clarify this

John Carr :-)
0 Kudos
Reply
RAC_1
Honored Contributor

‎12-18-2003 12:55 AM

‎12-18-2003 12:55 AM

Re: changing to trusted mode

/usr/lbin/modprpw -V

to avoid password expiry.
There is no substitute to HARDWORK
0 Kudos
Reply
Darren Prior
Honored Contributor

‎12-18-2003 02:08 AM

‎12-18-2003 02:08 AM

Re: changing to trusted mode

Hi John,

See my post in this thread for 10.20 patches: http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=287767

Patches can be superceded, so it's possible that you've seen some older threads that mention older versions of these patches. 10.20 is now an obsolete OS, so patching for it isn't going to change (with the possible exception of security issues.)

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-18-2003 02:09 AM

‎12-18-2003 02:09 AM

Re: changing to trusted mode

I tried converting a 10.20 system using SAM to Trusted with 2 users, one with a password expiration setup and one without. After conversion, both accounts were still active. However, SAM uses modprdef after conversion which is not true if you use the tsconvert command. And for the user with pw expiration set, converting either direction maintained the current setting. /usr/bin/modprpw -V fixes all passwords in the Trusted system (leave a root window open).

You can freely convert and un-convert using /usr/lbin/tsconvert (-r to revert back, -c to convert to Trusted). The only issue is with password length. If users on an untrusted system are ttyping in more than 8 characters for a password, on the untrusted system, characters 9+ were simply ignored. But on a Trusted system, every character in the password answer will be used to match the current password. Similarly, if a user chooses a 9+ character password while the system is Trusted and then the system is converted back to un-trusted, the user can still type the extra characters as they will be ignored again.


Bill Hassell, sysadmin
0 Kudos
Reply
John Carr_2
Honored Contributor

‎12-18-2003 04:05 AM

‎12-18-2003 04:05 AM

Re: changing to trusted mode

I have just tested again and if i entrust using tsconvert the user is prompted to change password. If I entrust using SAM the user is NOT requested to change password.

have trusted with tsconvert and run command modprpw -V and the user was not prompted to change password.

Bill was spot on
John
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.