Operating System - HP-UX
1833847 Members
2211 Online
110063 Solutions
New Discussion

Re: Trusted System - getprpw lockout indicates asterick in password

 
SOLVED
Go to solution
Jack C. Mahaffey
Super Advisor

Trusted System - getprpw lockout indicates asterick in password

I can understand why the asterick * for password gets converted from the password file when converting to trusted system. Is there anything that will set the password back to * for logins.

I'm comparing systems and was wondering if any any commands set the password back to '*'. Another question. Is it possible to set the password back to '*'? I see www is set to * on some systems and not others. Is it necessary to untrust the system just to reset the password to '*'?



Thanks in advance.

Jack
4 REPLIES 4
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: Trusted System - getprpw lockout indicates asterick in password

Well, you always have the option of editing the u_pwd field of the /tcb/files/auth/c/cstephen file directly and putting in a '*' and that is perfectly legal. You can also script a solution to do this as well using awk, Perl, or shell. Make sure you make a backup of the entire /tcb database and are logged in as root in at least two sessions so that you can get yourself out of trouble as fast as you got yourself in.

You should note that the '*' as the lockout character is nothing more than convention; any single character (e.g. 'Z') is an impossible hash and the account is just as effectively locked as with '*'. A few utilities look explicitly for '*' to produce a 'Locked' message but that is a weakness of those utilities rather than the '*' being a real lock --- or at least a better lock than any other impossible hash.

If it ain't broke, I can fix that.
Olivier Masse
Honored Contributor

Re: Trusted System - getprpw lockout indicates asterick in password

On a trusted system, I think the best way to lock users is with an admin lock rather than putting a * in the password field. The "passwd -l" command does it, as well as "/usr/lbin/modprpw -l".

CAVEAT: trusted accounts which have an admin lock cannot be remsh'd to or ssh'd to using passwordless certificate authentication. The only way to lock such an account is to put a * in the password field in the trused database, and in these cases I do it by hand.

Olivier
Bill Hassell
Honored Contributor

Re: Trusted System - getprpw lockout indicates asterick in password

Asterisk in password is leftover from conversion to Trusted. Once the system is Trusted, there is no way (short of hand-editing the /tcb files) to set an asterisk for a specific user. The reason that www account (and others) sometimes has the asterisk is due to creating the www user before or after turning the system into Trusted. On a normal system, the www user is created (by Apache installation) with * in /etc/passwd. If you install Apache after converting to Trusted, the account will have an admin lock, which has the same basic meaning as * in non-Trusted.

To unlock a user account that has either type of lock, use:

/usr/lbin/modprpw -m alock=NO -k


Bill Hassell, sysadmin
Jack C. Mahaffey
Super Advisor

Re: Trusted System - getprpw lockout indicates asterick in password

Thanks all. I wasn't sure if one of the modprpw command options was automatically setting the password back to '*'. If I really want to keep the original install settings to '*' I'll edit the appropriate /tcb... file, otherwise I'll disable the account from logging in using the modprpw commands.

jck...