HPE Community
Operating System - HP-UX
1833750 Members
2390 Online
110063 Solutions
New Discussion

password reset on trusted system

 
SOLVED
Go to solution
Oliver Schmitz
Regular Advisor

‎04-15-2005 03:58 AM

‎04-15-2005 03:58 AM

password reset on trusted system

Dear all,

meanwhile I converted my system to a trusted system. I have two questions on this:

1.) Is /etc/default/security still the configuration file? I converted with SAM to a trusted system and did some settings in the policies area but I didn't see any changes in the security file.

2.) Now I have some users which forgot their password on this maschine. In the untrusted system I just deleted the corresponding part in /etc/passwd and the user could login without passwd. Deleting the * now doesn't help. I read about a shaddowed database with the passwds. Where is it?

Thanks for further help and best regards,

Oliver
Oliver Schmitz
0 Kudos
Reply
5 REPLIES 5
D Block 2
Respected Contributor

‎04-15-2005 04:13 AM

‎04-15-2005 04:13 AM

Re: password reset on trusted system

the Trusted System has it's own directory structure where it keeps the password entries. this is not like /etc/shadow (file) for Shadow Passwords. you can get Shadow or you can have Trusted (but not both).
Golf is a Good Walk Spoiled, Mark Twain.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-15-2005 04:36 AM

‎04-15-2005 04:36 AM

Solution

Re: password reset on trusted system

Oliver,

1) yes.

2) A better approach might be to reset their password with the passwd command to something generic and then have them log in and change it themselves.


Pete

Pete
Reply
James George_1
Trusted Contributor

‎04-15-2005 05:19 AM

‎04-15-2005 05:19 AM

Re: password reset on trusted system

The trusted systems use /tcb/files/auth directory to store info as well. go to the user's file under the corresponding letter directories ...


Rgds / JG
forum is for techies .....heaven is for those who are born again !!
Reply
Anthony Lennan
Valued Contributor

‎04-15-2005 05:45 AM

‎04-15-2005 05:45 AM

Re: password reset on trusted system

Hi Oliver,

The best way to reset a users passwd on a trusted system is to use the modprpw command (/usr/lbin/modprpw). With this command you can reset passwords and unlock accounts etc. Have a look at the man page for all the options.

The other useful command for trusted systems is getprpw. It's handy for getting information about trusted users (ie Is their account locked etc)

Rgds,
Anthony
Reply
Bill Hassell
Honored Contributor

‎04-15-2005 07:41 AM

‎04-15-2005 07:41 AM

Re: password reset on trusted system

It's a little confusing because there are a couple of places where global policies are set. For a Trusted System, /tcb/auth/system has system-wide default file and a pwhist directory that remembers old passwords. The default file has records for the global (default) policies (SAM stores it's policies there). But the /etc/default/security is never built automatically so you need to create it. The man page for security will give you the details. Most of the security file settings are in addition to the /tcb settings.

In an untrusted system there is only one file for authentication: /etc/passwd (and optionally, /etc/group). But when you move to Trusted, all authentication is moved to the /tcb directory, so blanking out the password field won't work. (by the way, blanking out a password is never a good idea--you are relying on the user to promise to add a password at their earliest convenience...yeah, right)

The recommended and supported way to fix password issues is with SAM and there are now a lot more choices (unlock a locked account, reset their password age, force a password change at next login, etc) and you can even give them password suggestions.

Now for advanced sysadmins who like commnad-line tools, you can use modprpw to unlock a user's account (in Trusted, too many password failures will lock the account), refresh the expiration date, and so on. The man page for modprpw will give you the details. (note: the man page for modprpw is only on 11.11--use docs.hp.com if you're on 11.00)

The shadowed password system is a third choice. It is quite different from Trusted, does not have all the security controls but is more compatible with old code that messes with a shadow password file. Un-trusted, shadow, and Trusted are mutually exclusive--you pick the one you need. I would always go for Trusted.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.