HPE Community
Operating System - HP-UX
1844208 Members
2002 Online
110229 Solutions
New Discussion

Converting to trusted system

 
SOLVED
Go to solution
Rolf Modin
Advisor

‎12-19-2002 01:15 AM

‎12-19-2002 01:15 AM

Converting to trusted system

What can give you problems when converting, and after, a HP-UX 11.0 system that has been used for a long time, to a trusted system?

Will cron jobs be affected? Will password policys change for existing users?
Does existing passwords risk becoming invalid if they are short or lacks special characters? ...
0 Kudos
Reply
9 REPLIES 9
Rajeev Shukla
Honored Contributor

‎12-19-2002 01:10 AM

‎12-19-2002 01:10 AM

Re: Converting to trusted system

Yes you are right passwords will have problem. The policies remain the same, but the existing passwords will ask for a change. But crons will not have any problem.

Let me know if u need more clarifications.

Rajeev
0 Kudos
Reply
Michael Tully
Honored Contributor

‎12-19-2002 01:15 AM

‎12-19-2002 01:15 AM

Re: Converting to trusted system

You will still need to clarigy your security policy to some degree, like password expiration etc. Using 'SAM' is not a bad place to start. You can also use 'SAM' too trust your system as well as the command line version of
# /usr/lbin/tsconvert

Watch for the immediate password expiry, you will upset your user base if they do not know about it. The place to practise this is on a test system.
Anyone for a Mutiny ?
0 Kudos
Reply
Michael Tully
Honored Contributor

‎12-19-2002 01:16 AM

‎12-19-2002 01:16 AM

Re: Converting to trusted system

You will still need to clarify your security policy to some degree, like password expiration etc. Using 'SAM' is not a bad place to start. You can also use 'SAM' too trust your system as well as the command line version of
# /usr/lbin/tsconvert

Watch for the immediate password expiry, you will upset your user base if they do not know about it. The place to practise this is on a test system.
Anyone for a Mutiny ?
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎12-19-2002 01:18 AM

‎12-19-2002 01:18 AM

Solution

Re: Converting to trusted system

This doc should help you

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000065676950
Reply
Juan Manuel López
Valued Contributor

‎12-19-2002 01:29 AM

‎12-19-2002 01:29 AM

Re: Converting to trusted system

tsconvert -c

Juanma.
I would like to be lie on a beautiful beach spending my life doing nothing, so someboby has to make this job.
0 Kudos
Reply
Ravi_8
Honored Contributor

‎12-19-2002 02:09 AM

‎12-19-2002 02:09 AM

Re: Converting to trusted system

Hi

You can make the system trusted thru SAM or by command 'tsconvert'.
Cron jobs will not be affected, passwd policy will definately going to change. You can't use NIS if you make the system trusted.
never give up
0 Kudos
Reply
Rolf Modin
Advisor

‎12-19-2002 02:50 AM

‎12-19-2002 02:50 AM

Re: Converting to trusted system

Have I understood correctly that what can make problem is that all users will have to change their password the first time they log on to the system after the convertion? That would make trouble for applications on other machines that use ftp to automatically exchange files with the system.

PS:
Wow, lots of good answers before I had had time to read the netiquette, as a first time user :-)
DS.
0 Kudos
Reply
Gino Castoldi_2
Honored Contributor

‎12-19-2002 04:08 AM

‎12-19-2002 04:08 AM

Re: Converting to trusted system

Hi,

If you use SAM as part of your procedures to convert to a "trusted system" then you can prevent having all passwords expire. First use
SAM to convert to a "trusted system", then go to here: System Security Policies -> Password Aging Policies ->
and select "Disabled" for Password Aging. This should stop all passwords including root from expiring.

I tested this on our test
server (HP-UX 11.0) that runs OVO and it worked without any password/account problems.

I then used "Bastille" to further lockdown the server as part of our security hardening initiative.

Using SAM first and disabling password aging prevented
"Bastille" from expiring all passwords when it ran.
If you use just Bastille by itself it will automatically expire all passwords.


HTH, Gino.
Reply
Keith Buck
Respected Contributor

‎12-19-2002 11:04 AM

‎12-19-2002 11:04 AM

Re: Converting to trusted system

As Gino said, SAM gives you a lot more flexibility in terms of password policies than Bastille or the command-line version. Also, the command-line version won't do a lot of the checks that SAM and Bastille do, and you could end up with a broken system.

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.