HPE Community
Operating System - HP-UX
1821547 Members
1728 Online
109633 Solutions
New Discussion юеВ

pwconv HP-UX 11

 
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 02:43 AM

тАО11-23-2000 02:43 AM

pwconv HP-UX 11

In the knowledge base it is stated that you can use pwconv on a non-trusted system.
It should do the follwing:
If commercial security is installed : update shadow file
if commercial security not installed: remove passwords from /etc/passwd and create the shadow file.

When I run the pwconv command on HP-UX 11 I get the message that the system is a non-trusted system and the command does nothing.

Is it possible to use pwconv on a non-trusted system and if not why does it say in the knowledge base that you can ?
0 Kudos
Reply
14 REPLIES 14
Alex Glennie
Honored Contributor

тАО11-23-2000 03:25 AM

тАО11-23-2000 03:25 AM

Re: pwconv HP-UX 11

I just tried this and it does work on a non-trusted system: to see what it does have a look at the pwconf binary.

Are you 100 % sure it did nothing ..have you checked you havent got a tcb dir ?
0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-23-2000 03:28 AM

тАО11-23-2000 03:28 AM

Re: pwconv HP-UX 11

also are you using NIS or tried to convert the system via sam .... any errors ?
0 Kudos
Reply
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 04:00 AM

тАО11-23-2000 04:00 AM

Re: pwconv HP-UX 11

Our intention is just to remove the encrypted passwords from the /etc/passwd file. We are not yet trying to convert to a trusted system.

This is the output of the command:

[hpbis:/etc]# pwconv
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.


I'm pretty sure I don't get the /tcb -directory because i get the followng output:

[hpbis:/]# ls -a tcb
tcb not found
0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-23-2000 04:06 AM

тАО11-23-2000 04:06 AM

Re: pwconv HP-UX 11

Ah thats slightly different !

If it were me I'd try with the default passwd file from /usr/newconfig/etc/, if that works you may have problems wrt your own passwd file

I'd check for duplicate names uids etc ... ?

Make sure you are patched to a reasonable level as well
0 Kudos
Reply
Dan Hetzel
Honored Contributor

тАО11-23-2000 04:23 AM

тАО11-23-2000 04:23 AM

Re: pwconv HP-UX 11

Hi,

Run 'pwck' and 'grpck' to fix problems with your password and group files, if any.

Then, you should be able to run 'pwconv' successfully.

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 04:34 AM

тАО11-23-2000 04:34 AM

Re: pwconv HP-UX 11

thank you very much for al your input, but I get the follwing output:

# pwconv /usr/newconfig/etc/passwd
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.
# pwck /etc/passwd
# grpck /etc/group

# pwconv
The system is not yet in trusted mode.
Use pwck to list any problems with the password file.
After fixing all problems use SAM to convert to trusted mode.

So it doesn't seem to work.

Below is the result of a swlist. Am I missing something or is there a patch that needs to be installed.

#
# Bundle(s):
#

A5158A B.11.00.03 HP PCI Tachyon TL Fibre Channel
A5783A B.11.00.06 PCI Token Ring
B2491BA B.11.00 MirrorDisk/UX
B3919EA_2A5 B.11.00 Special Edition HP-UX Unlimited-User Lic
B3929BA B.11.00 HP OnLineJFS (Advanced VxFS)
B3935DA A.11.09 MC / Service Guard
B5456CA C.01.18.01 HP-UX Development Kit for Java*
B6733AA B.11.00.10 DCE/9000 Kernel Threads Support
B8342AA B.11.00.03 Netscape Communicator 4.72
B8723AA A.01.02 CIFS/9000 Client Lic. for 9000 Servers
B8725AA A.01.02 CIFS/9000 Server Lic. for 9000 Servers
HPUXEng64RT B.11.00 English HP-UX 64-bit Runtime Environment
Ignite-UX-11-00 B.2.4.307 HP-UX Installation Utilities for Installing 11.00 Systems
J2720BA R6.11.00.200 SNAplus2 LINK
J2722BA R6.11.00.200 SNAplus2 3270/3179G
J2723BA R6.11.00.200 SNAplus2 RJE
J2724BA R6.11.00.200 SNAplus2 API
OnlineDiag B.11.00.13.16 HPUX 11.0 Support Tools Bundle
XSWECO226 A.1.0 Patch Replacement bundle
XSWGR1100 B.11.00.49.3 HP-UX General Release Patches, June 2000
XSWHWCR1100 B.11.00.49.3 HP-UX Hardware Enablement and Critical Patches, June 2000
#
# Product(s) not contained in a Bundle:
#

ADSM 1.0 Start/Stop scripts & config files & Oracle backupscript for ADSM
IBMcli_tag 1.1.0.0 IBMcli software for HP-UX
IBMdpo_tag B.11.00.01 IBMdpo Driver 64-bit Version: Oct-26-2000 16:19
IBMis_tag 2.7.1.00 IBM Install Script for HP
PHCO_21630 1.0 LVM commands cumulative patch
PHKL_21381 B.11.00.AA Fibre Channel Mass Storage Driver Patch
PHKL_21989 1.0 SCSI IO Subsystem Cumulative Patch
PHKL_22267 1.0 11.00 LVM Cumulative patch
PHKL_22469 1.0 Directed range,PIOP for N/L class,PAT Events
SW-DIST B.11.10.07.01 HP-UX Software Distributor
TIVsm 3.7.0.0 Tivoli Storage Manager


0 Kudos
Reply
Dave Kelly_1
Respected Contributor

тАО11-23-2000 05:24 AM

тАО11-23-2000 05:24 AM

Re: pwconv HP-UX 11

It doesn't look like you can run pwconv on a non-trusted system.

pwconv is just a script file. The contents show:

#!/usr/bin/sh
# @(#) $Revision: 80.2 $
#
# pwconv -- convert to or update commercial security
#

PATH=/usr/lbin
export PATH

# check this file to see if already converted
# see the iscomsec() routine in libsec

if [[ -f /tcb/files/auth/system/default ]]
then
# already converted, do an update
echo "Updating the tcb to match /etc/passwd, if needed."
tsconvert -u
else
# not there yet, do the conversion
echo "The system is not yet in trusted mode."
echo "Use pwck to list any problems with the password file."
echo "After fixing all problems use SAM to convert to trusted mode".
fi


The else shows that nothing is run if the system is not trusted.
0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-23-2000 06:03 AM

тАО11-23-2000 06:03 AM

Re: pwconv HP-UX 11

As to the itrc doc, i the script is different between 10.20 and 11.xx.

did it specify the O/S ?
0 Kudos
Reply
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 06:10 AM

тАО11-23-2000 06:10 AM

Re: pwconv HP-UX 11

The knowledge base document that I refered to in the beginning is:

A5242666

Problem Description

Can I use pwconv if my system is not a trusted system? Will pwconv
create a shadow file?

Configuration Info

Operating System - HPUX
Version -
Hardware System - HP 9000
Series - E35

Solution

Yes, you do not have to have a trusted system to use pwconv and
pwconv will create shadow files.



I also have a reference to document RN06961020:
HP-UX 10.20 Release Notes, Major Changes for HP-UX 10.0 & 10.01, Part 1

New commands from 10.0

pwconv(1M)
*****************************************************************************
Creates or updates the commercial security database from /etc/passwd.

* If commercial security is installed, pwconv updates the database.

* If commercial security is not installed, pwconv removes passwords
from /etc/passwd and creates the database.


I don't find any reference that it changed up to V. 11.xx

0 Kudos
Reply
Dan Hetzel
Honored Contributor

тАО11-23-2000 06:24 AM

тАО11-23-2000 06:24 AM

Re: pwconv HP-UX 11

Hi all,

I guess you're all right ... up to a certain point.

The script in 10.20 is as follows:
#!/usr/bin/sh
# @(#) $Revision: 72.1 $
#
# pwconv -- convert to or update commercial security
#

PATH=/etc
export PATH

# check this file to see if already converted
# see the iscomsec() routine in libsec

if [[ -f /tcb/files/auth/system/default ]]
then
# already converted, do an update
tsconvert -u
else
# not there yet, do the conversion
tsconvert
fi

You see that it either updates or converts depending if the system is trusted or not.
I can't figure out what /etc/tsconvert is doing but it's most probably converting the system into a trusted system, like sam does (probably by calling tsconvert)

Best regards,

Dan

PS: If my understanding is correct, what Rob wants is a trusted system with all auditing turned off ??? Or am I missing something ??

Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 06:26 AM

тАО11-23-2000 06:26 AM

Re: pwconv HP-UX 11

I was just checking an "old" 10.20 system and there the script just runs tsconvert when it is not already a secure system.

I was wondering , can't I just do the same manually on HP-UX. That's just use tsconvert without any options.
0 Kudos
Reply
Rob CUYNEN
Occasional Advisor

тАО11-23-2000 06:34 AM

тАО11-23-2000 06:34 AM

Re: pwconv HP-UX 11

Actually, I don't want a trusted system.

I'm used to working in the Solaris environment and there by default there are no encrypted passwords in the /etc/passwd file. The encrypted passwords are stored in the root-only accessible file (even read): /etc/shadow.
This is also true for most Linux systems now.

I was just wondering, is the same very basic security check popssible under HP-UX.

For the moment we don't want to use trusted systems because that would also require an upgrade of the JFS filesystems to disk-layout 4(because we need the ACL's) and change from NIS to NIS+. As the NIS would only be used for 3, max. 4 servers we wonder if all the managment hassle of NIS+ won't be to much overhead.
0 Kudos
Reply
Roderick Derks
Frequent Advisor

тАО01-13-2005 03:12 AM

тАО01-13-2005 03:12 AM

Re: pwconv HP-UX 11

Have you ever had a solution to this issue?

Groet,
Roderick Derks
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО01-13-2005 03:17 AM

тАО01-13-2005 03:17 AM

Re: pwconv HP-UX 11

Roderick,

It's usually better to open your own new question than add a question to such an old thread. In this case, however, I think the answer you seek is "Shadow Passwords":

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword


Pete

Pete
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.