HPE Community
Operating System - HP-UX
1827483 Members
2129 Online
109965 Solutions
New Discussion

trusted not trusted

 
SOLVED
Go to solution
Jeff Hagstrom
Regular Advisor

‎09-09-2004 06:36 AM

‎09-09-2004 06:36 AM

trusted not trusted

How do I know if the machine is trusted or not trusted? And what does that mean?
0 Kudos
Reply
6 REPLIES 6
Sridhar Bhaskarla
Honored Contributor

‎09-09-2004 06:41 AM

‎09-09-2004 06:41 AM

Re: trusted not trusted

Hi Jeff,

On trusted systems, you will not find the encrypted passwords in /etc/passwd file. They will be stored under a secured directory structured under /tcb directory. It will give you a lot more options to tighten the account security like password expiry, passwd lifetimes, unsuccessful attempts etc.,

It is very easy to verify if a system is trusted or not. Look for /tcb directory on trusted systems. Run the command "getprpw " and either it should return some output or say "system is not trusted".

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Patrick Wallek
Honored Contributor

‎09-09-2004 06:43 AM

‎09-09-2004 06:43 AM

Re: trusted not trusted

If you have a directory structure like /tcb/files/auth/? (where ? = a-z, A-Z, etc.) then your system is trusted.

If you are trusted, it means that 1) Encrypted passwords are NOT stored in /etc/passwd 2) You have more control over passwords, their expiration, etc. 3) You can audit various system actions. That covers the highlights.
Reply
Sanjay_6
Honored Contributor

‎09-09-2004 06:47 AM

‎09-09-2004 06:47 AM

Solution

Re: trusted not trusted

Hi,

To find if the system is trusted or not,

1.) /usr/lbin/modprpw
it will say system is trusted or not.
2.) cat /etc/passwd and see if there is a "*" in place of the encrypted password.
3.) The system is trusted if the directory /tcb/files/auth exists.

Try this doc to learn more about a trusted system.

http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html

Hope this helps.

Regds
Reply
Sundar_7
Honored Contributor

‎09-09-2004 06:49 AM

‎09-09-2004 06:49 AM

Re: trusted not trusted

Sri has pretty much answered your question.

Trusted system will make your UNIX login authentication C2 complaint.

On a untrusted system, you dont have much control over the authentication.

This is from some document.

The following information lists the MAJOR differences between trusted
and non-trusted systems:

1. A trusted system allows system auditing to be turned on.
System auditing enables the ability to trace every system call
issued by each user on the system. Non-trusted systems run
with system auditing disabled.

2. Trusted systems have improved password management.

Below is a list of password management features:

a. Specification of a grace period and expiration period for
passwords.

b. The ability to specify system-wide password aging.

c. The ability to specify an absolute account life.

d. The ability to disable accounts after repeated login
failures.

e. Passwords lengths of up to forty (40) characters.

f. The ability to access a random password generator.

3. Trusted systems have additional login restrictions, while
non-trusted systems do not. Below are the features of
trusted system login restrictions:

a. In addition to account disabling, the account may also be
locked.

b. Setting accounts to be accessed only at certain times of
the day.

c. The ability to specify account location access. In other
words, account access at specific devices, workstations,
and so on.

d. The ability to specify a single-user boot password.

Note: These login restrictions are NOT available on
NON-TRUSTED systems.

4. A trusted system has shadowed passwords, while a non-trusted
system does not have shadowed passwords. Shadowed passwords
are kept in locations other than /etc/passwd. This prevents
users from viewing the /etc/passwd file and determining which
accounts do not have passwords. This also prevents hackers from
running "password cracker programs" against passwords in the
/etc/passwd file.
Learn What to do ,How to do and more importantly When to do ?
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎09-09-2004 07:18 AM

‎09-09-2004 07:18 AM

Re: trusted not trusted

Just a quick comment.

Having the encypted passwords out of the /etc/passwd file is NOT necessarily a sign of trusted system. The Shadow Password product can be used on untrusted systems and will put the encrypted passwords in /etc/shadow (which is root read-only).

No points please.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-09-2004 08:27 AM

‎09-09-2004 08:27 AM

Re: trusted not trusted

Three authentication scenarios here.

non-trusted /etc/password The password is encrypted. The disadvantage here is that all users need acess to this file to change their passwords. This is done via a suid program, passwd.

A hacker can get this file, run crack on it and get lots of passwords.

Trusthed systems spreads out the also encrypted passwords into an individual, hard to reach file for each and every user.

This makes it harder on the hacker.

Shadow passwords, standard for Linux has a /etc/shadow file for the passwords which are also encrypted.

All there scenarios, encrypted passwords in all scenarios.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.