HPE Community
Operating System - HP-UX
1843980 Members
1905 Online
110226 Solutions
New Discussion

trusted system, password is a *

 
SOLVED
Go to solution
John Kittel
Trusted Contributor

‎03-08-2006 07:43 AM

‎03-08-2006 07:43 AM

trusted system, password is a *

HP-UX 11.11 trusted system, the man page for getprpw says that the trusted database field "lockout", bit position 7, means "password is a *".

I've had a couple accounts locked recently with this bit set. When I look at the tcb entry, it does indeed have a "*" there for the password.

What can be causing it to be set to that value, and why?

- John
0 Kudos
7 REPLIES 7
Jeff_Traigle
Honored Contributor

‎03-08-2006 08:13 AM

‎03-08-2006 08:13 AM

Solution

Re: trusted system, password is a *

You mean the accounts had passwords set, but then were locked with the * in the password field? Not aware of anything that would do that in a Trusted system short of "/usr/sam/lbin/usermod.sam -p *" or someone manually editing the TCB database file. If you user "passwd -l" to lock an account on a Trusted system, it doesn't touch the password field as it does in an untrusted system.
--
Jeff Traigle
0 Kudos
Jeff_Traigle
Honored Contributor

‎03-08-2006 08:17 AM

‎03-08-2006 08:17 AM

Re: trusted system, password is a *

BTW, if the account was locked prior to converting to Trusted mode (i.e. * in the password field in /etc/passwd), as several of the system accounts are by default, that would be copied to the TCB database when converting, thus keeping the account locked after conversion is completed.
--
Jeff Traigle
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎03-08-2006 08:18 AM

‎03-08-2006 08:18 AM

Re: trusted system, password is a *

Normally that happens when the system is untrusted and a passwd -l user command is entered and the the system is converted to trusted again. On an untrusted system, the passwd -l command does indeed replace the passwd hash with '*' and when the system is converted to trusted the '*' is copied to the tcb entry.

It is also possible that someone is using a very archaic version of the passwd command or that some is temporarily removing the /tcb/files/auth/system/default file. That is the file that the iscomsec() system call looks for to determine whether or not the system is truly trusted.
If it ain't broke, I can fix that.
0 Kudos
John Kittel
Trusted Contributor

‎03-08-2006 09:22 AM

‎03-08-2006 09:22 AM

Re: trusted system, password is a *

Thank you for those answers.

Yes, the accounts had passwords and were being used, then the users called and said they couldn't log in, and then I discovered they were locked out as described.

None of the so-far proposed possible ways this could happen seems at all likely to be the case on my system.

First I needed to know this was not caused by some ordinary or routine hp-ux event of which I was unaware, and the answers so far have reassured me of that. Now I am suspicious of the purchased application software we are running. It allows users to change their Unix account passwords though it's own gui. I tried telling it to set passwd to "*", and at least it doesn't allow that, but perhaps some other circumstances cause it force a "*" in there.

- John
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎03-08-2006 09:35 AM

‎03-08-2006 09:35 AM

Re: trusted system, password is a *

A big clue would be if this software has the setuid bit set and is owned by root -- or if there is a daemon owned by root that this application uses. That would give it the ability to change tcb entries w/o going through the traditional passwd commands.
If it ain't broke, I can fix that.
0 Kudos
John Kittel
Trusted Contributor

‎03-08-2006 09:41 AM

‎03-08-2006 09:41 AM

Re: trusted system, password is a *

Oh yes, I already know it has a daemon owned by root and munges the tcb directly.

- John
0 Kudos
John Kittel
Trusted Contributor

‎03-08-2006 10:58 AM

‎03-08-2006 10:58 AM

Re: trusted system, password is a *

Thanks again for the help. I assume the purchased application software is doing this. Will re-open thread if it turns out otherwise.

- John
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.