HPE Community
Operating System - HP-UX
1826772 Members
2359 Online
109702 Solutions
New Discussion

Re: Converting to a Trsuted-System after years of running

 
SOLVED
Go to solution
S.Rider
Regular Advisor

‎10-24-2005 07:11 AM

‎10-24-2005 07:11 AM

Converting to a Trsuted-System after years of running

We have multipel hpux 11.11 systems that were setup years before I got here, that were never converted to trusted-systems. I want to convert them over to trusted-systems but there's some concern that after they have been running so long un-trusted, we will break something converting them over. I can't see where there's a big possibility of a trusted-system breaking anything. Well actually, I don't even see a small possibility of anything breaking.
Has anyone experienced things breaking when converting a currently running system over to trusted-system status ?
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
11 REPLIES 11
Fabio Ettore
Honored Contributor

‎10-24-2005 07:21 AM

‎10-24-2005 07:21 AM

Solution

Re: Converting to a Trsuted-System after years of running

Hi Jay,

I can give you my 2 cents about an experience of some days ago.
I saw 2 MC/ServiceGuard nodes to not run anymore the cluster since they were converted in Trusted Mode.
I was getting crazy because the customer didn't say me that he converted the systems and I didn't think initially about that.
Then I discovered that: it is a known problem in /etc/inetd.conf because the cmclconfd daemon have to be launched by root and not like default by bin.
When I changed the user from bin to root and
inetd -c
the problem was solved.
Have you nodes in ServiceGuard or standalone?

Best regards,
Fabio
WISH? IMPROVEMENT!
Reply
Coolmar
Esteemed Contributor

‎10-24-2005 07:24 AM

‎10-24-2005 07:24 AM

Re: Converting to a Trsuted-System after years of running

The only problem that I encountered were the passwords of some users did not fit the criteria of the new "trusted" system. So there were a few users who required their passwords reset/changed.

Sally
Reply
Tim Sanko
Trusted Contributor

‎10-24-2005 07:37 AM

‎10-24-2005 07:37 AM

Re: Converting to a Trsuted-System after years of running

There are many jobs that require "SYSTEM" type IDs that don't change if you are running some of the type of programs we are running.

Sadly, it is the swap thrashing of 8000 users changing passwords through the process that we have that gives me grief...

Every 84 days we go through the procedure to change passwords on systems. It Stinks!!!


The complexity issues not withstanding.
If you have user scripts that do ftp's automatically (we have about 30 of them), those passwords changing will cause failures.

Can you hear NIS chants from old admins.
LDAP from newbies...

No matter what no system has a perfect security. I still hate trusted systems... Remember ALL (Yes EVERY *#$&$ one of them) passwords must be changed after the change over.

I would rather set up /etc/default/security instead.

my $.02 worth.

Tim
Reply
James R. Ferguson
Acclaimed Contributor

‎10-24-2005 07:47 AM

‎10-24-2005 07:47 AM

Re: Converting to a Trsuted-System after years of running

Hi Jay:

I understand that you are running 11.11 (11i v1) and therefore what follows does not strictly apply.

However, beginning with 11i v2 there is a free, optional product that is designed to replace Trusted Systems mode. When 11i v3 appears the feature will be standard and Trusted Mode will be deprecated. You might be interested in this:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

Regards!

...JRF...

0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎10-24-2005 09:09 AM

‎10-24-2005 09:09 AM

Re: Converting to a Trsuted-System after years of running

And you have to be aware of any bad practices that are legacy. I worked at a place last year that had scripts modifying all sorts of system files (inittab and passwd among them) to perform various functions that were never rewritten as the platform and their software developed over the years. Blindly converting them to Trusted Systems would have broken any script manipulating passwords.

And you better be sure you have console access (even remotely) on a Trusted System since the only way to login once it's locked is from the console. (Assuming you don't have any back doors set up, which are a bad idea anyway... though that didn't stop the admin at another place I worked from having them in place.)
--
Jeff Traigle
Reply
Gordon Crone
Frequent Advisor

‎10-24-2005 11:37 PM

‎10-24-2005 11:37 PM

Re: Converting to a Trsuted-System after years of running

I vaguely recall one little gotcha. On un-trusted systems I think only first 8 characters of the password were ever looked at - some users had been using longer passwords but HPUX seemingly ignored anything after 8 characters. Once the system was converted to trusted, it enabled longer passwords but had converted only the 8 characters of the longer passwords. Users promptly got locked out after 3 unsuccessful login attempts with their now meaningful long passwords.

Gord
Reply
doug hosking
Esteemed Contributor

‎10-26-2005 07:40 AM

‎10-26-2005 07:40 AM

Re: Converting to a Trsuted-System after years of running

"Once the system was converted to trusted, it enabled longer passwords but had converted only the 8 characters of the longer passwords."

This comment is a bit misleading. What you need to understand is that there is nothing more than 8 characters left to convert. It's not a case of not converting, but having no data at that time that CAN be converted. The truncation happens at the time of the original password change, not during the conversion to trusted mode. It just isn't initially apparent because the password checking code in standard mode throws away all characters after the first 8 before comparing against the entry in the passwd file.

Reply
doug hosking
Esteemed Contributor

‎10-26-2005 07:46 AM

‎10-26-2005 07:46 AM

Re: Converting to a Trsuted-System after years of running

Also be sure to check for any user names longer than 8 characters. Internal limitations in some of the trusted mode data structures preclude reliable operation with user names longer than 8 characters. While long user names are not supported in ANY configuration of 11.11, and tools like useradd will complain if you try to create them, some improperly coded applications have been known to create them by other means. This is begging for obscure problems due to buffer overflows, etc. Obviously that's not something you want to risk in something as important as the authentication system of your machines.
Reply
Gordon Crone
Frequent Advisor

‎10-27-2005 02:42 AM

‎10-27-2005 02:42 AM

Re: Converting to a Trsuted-System after years of running

Doug,

Sorry if I wasn't clear. I agree, there was never any more than 8 characters to convert. The
users had been fooled by the silent truncation that the untrusted system had been doing....

Gord
Reply
S.Rider
Regular Advisor

‎10-28-2005 05:18 AM

‎10-28-2005 05:18 AM

Re: Converting to a Trsuted-System after years of running

I'm thinking if I go into sam after "converting to trusted" and set the Password-Aging-Policy to disabled, that would eliminate alot of the issues. We mainly want to go "trusted" to get the encrypted passwords out of /etc/password.
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
Jim Mallett
Honored Contributor

‎10-28-2005 05:58 AM

‎10-28-2005 05:58 AM

Re: Converting to a Trsuted-System after years of running

If you are mainly going to Trusted to get rid of the /etc/password issue, you could look into HP-UX Shadow Passwords:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Fortunately I had a test system to convert to Trusted and check any application issues, so I ended up going the Trusted route.

Jim
Hindsight is 20/20
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.