HPE Community
Operating System - HP-UX
1837449 Members
3927 Online
110117 Solutions
New Discussion

HPUX 10.20 "trusted system" problems

 
SOLVED
Go to solution
Ivan Altaparmakov
Advisor

‎03-18-2002 09:59 AM

‎03-18-2002 09:59 AM

HPUX 10.20 "trusted system" problems

Hi there

what if someone on purpose blocks root accaunt
(by passing some number of wrong passwors
on HPUX 10.20 trusted system )
when CDE lock screen i on ?
the only way is hard reboot ?
isn't it ?
is there any paches for this ?

and why accaunt manager in SAM
returns error when root password was
wrong even one time , and root accaunt
was not blocked ?

why after converting and unconverting to trusted system some passwords are not recognized
and must be changed by root ?


is there way to restrict some users to logon from speciffic IPs ?
for example to restrict root to logon only locally and from some reliable computers ,and at the same time
to allow other users to log on from some other IP ?

is HPUX 10.20 so bad in security?


10x



0 Kudos
Reply
6 REPLIES 6
Jeff Schussele
Honored Contributor

‎03-18-2002 10:09 AM

‎03-18-2002 10:09 AM

Re: HPUX 10.20 "trusted system" problems

For one - root should NEVER be allowed to login from anywhere EXCEPT the console.
To do this create a file in /etc named securetty & place only the word console in it. Users should login with their username & su up to root. This will force them to do so.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎03-18-2002 10:22 AM

‎03-18-2002 10:22 AM

Re: HPUX 10.20 "trusted system" problems

1)You can login as root on the console in the event of a root account being deactivated. And it is probably a good practise to run "authck" afterwards. I don't think there is any patch that can "bypass" this condition.

2) The SAM part. Well I'm not sure. I do not think that is the behavior that is expected from what you've described.

3) After conversion, the length of the user password from non-trusted if greater than 8 characters will have to keep in mind that the default length for a trusted system is only 8 characters. So only the first 8 characters will be recognized once trusted (well same as non-trusted). If you want longer than 8, use SAM to increase it.

4) It's almost a must to have /etc/securetty in place to restrict direct root login.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎03-18-2002 11:07 AM

‎03-18-2002 11:07 AM

Re: HPUX 10.20 "trusted system" problems

what if someone on purpose blocks root accaunt
(by passing some number of wrong passwors
on HPUX 10.20 trusted system )
when CDE lock screen i on ?
the only way is hard reboot ?
isn't it ?
is there any paches for this ?

As mentioned above use the console entry in /etc/securetty, also ssh can bypass this if you allow root logins in the sshd_config file. I would recommend moving to ssh for all telnet, ftp , rlogin communication anyway.

and why accaunt manager in SAM
returns error when root password was
wrong even one time , and root accaunt
was not blocked ?

why after converting and unconverting to trusted system some passwords are not recognized
and must be changed by root ?

Use this script after converting to a trusted system.
After conversion run modprpw to preserve passwords
for USER in `cat list`
do
/usr/lbin/modprpw -V $USER
done



is there way to restrict some users to logon from speciffic IPs ?
for example to restrict root to logon only locally and from some reliable computers ,and at the same time
to allow other users to log on from some other IP ?

use the /var/adm/inetd.sec file and limit it that way. Much like hosts.allow.

is HPUX 10.20 so bad in security?

It is only bad if you don't manage the security on your box, look at getting Practical Unix Security from O'Reily, that book will help you create a much more secure server.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
K.Vijayaragavan.
Respected Contributor

‎03-19-2002 04:47 AM

‎03-19-2002 04:47 AM

Re: HPUX 10.20 "trusted system" problems

Hi,

Of course if not in telnet screen some one can do this from the X windows CDE login screen they get through
"exceed" or "X -query" options.

That also can be avoided by securing X windows. Editing "/etc/dt/config/Xaccess" file.

But that is going to block the usage of exceed.

Better to use /etc/securetty and make the root user to always login from console.

He can use "su" to get the root previlege from other terminals.

Secure the services (telnet,rlogin,remsh,rlogin,rexec in ) in /var/adm/inetd.sec file.

-Vijay

"Let us fine tune our knowledge together"
0 Kudos
Reply
Ivan Altaparmakov
Advisor

‎03-20-2002 07:37 AM

‎03-20-2002 07:37 AM

Re: HPUX 10.20 "trusted system" problems

thanks evry body

is HPUX 10.20 so bad in security?
It is only bad if you don't manage the security on your box,

of course ...
but why does HPUX must be so
root unfriendly ?

is it possible to allow blocked root accaunt to logon
in local CDE session such as from console?

unfortunately I can't get man pages for securetty and modprpw , and i can't buy or find O'Reily's book so is there any documnetation on the Web?

how I know inetd.sec restricts only IPs but not users , or I am in misbelief ?

SSh after converting to trusted system keeps failing in authorisation ....
it may need additional configuration to use /tcb/... instead of /etc/passwd ? what i can do ?

the eror returned from SAM both from CDE and console
when root password was wrong 1 time is :
UNEXPECTED EXIT: process /usr/sam/lbin.samx -C -p 1144 -s users /usr.sam.lib//ug.ui exited with a non-zero exit status . sh:1293 Bus error (coredump)

thanks


0 Kudos
Reply
Alex Glennie
Honored Contributor

‎03-20-2002 07:51 AM

‎03-20-2002 07:51 AM

Solution

Re: HPUX 10.20 "trusted system" problems

I'd install the latest CDE patch .... fyi

hp-ux_patches/s700_800/10.X/PHSS_14002 :CDE:Runtime:Mar98: Target: 10.20
1Liner: s700_800 10.20 CDE Runtime Mar98 Periodic
cde:trusted system:screenlock: unlock by root seen as unsuccessful try ...

That combined with the SAM error suggests to me that this system *could* be in need of patching ..... what's the general patch level or last patch bundle that was installed ?

As to the other issues not yet covered it maybe better to split them up into separate posts ?

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.