- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Trusted system vs Non trusted system
Operating System - HP-UX
1822895
Members
3436
Online
109645
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 11:49 PM
тАО07-15-2004 11:49 PM
Hi,
What is the difference between trusted system & non trusted system? Any reasons to use trusted system? Is there any acticle or documentation about it?
regards
What is the difference between trusted system & non trusted system? Any reasons to use trusted system? Is there any acticle or documentation about it?
regards
Solved! Go to Solution.
8 REPLIES 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 11:51 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 12:59 AM
тАО07-16-2004 12:59 AM
Re: Trusted system vs Non trusted system
This online doc also has information on setting up a Trusted System:
http://docs.hp.com/hpux/onlinedocs/5187-2216/5187-2216.html
Rgds...Geoff
http://docs.hp.com/hpux/onlinedocs/5187-2216/5187-2216.html
Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 01:06 AM
тАО07-16-2004 01:06 AM
Re: Trusted system vs Non trusted system
The basic difference is:
Non-trusted - encrypted passwords are stored in the /etc/passwd file, which is world-readable. Potentially anyone could grab that file and run crack or some other password cracking utility against it.
Trusted - encrypted passwords are NOT stored in /etc/passwd. They are instead stored in files in the /tcb/files/auth/ directory structure which is only readable by root.
Other advantages are that you have more control over when passwords expire, you can disable accounts after X number of bad logins in a row, etc.
I think it is definitely worth it to have the system be trusted.
Non-trusted - encrypted passwords are stored in the /etc/passwd file, which is world-readable. Potentially anyone could grab that file and run crack or some other password cracking utility against it.
Trusted - encrypted passwords are NOT stored in /etc/passwd. They are instead stored in files in the /tcb/files/auth/ directory structure which is only readable by root.
Other advantages are that you have more control over when passwords expire, you can disable accounts after X number of bad logins in a row, etc.
I think it is definitely worth it to have the system be trusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 01:20 AM
тАО07-16-2004 01:20 AM
Re: Trusted system vs Non trusted system
Just a quick comment. HP has released software called Shadow Passords which removes the encrypted passwd and puts it into a root only /etc/shadow. This is for untrusted systems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 01:34 AM
тАО07-16-2004 01:34 AM
Re: Trusted system vs Non trusted system
Non Trusted systems:
=====================
User informations for the system are stored in the /etc/passwd ( files ) ldap database (ldap) etc. When a user enters into the system,his login and passwd details are verified as identification & authentication method using the encryped passwd in /etc/passwd file.
We can hack the passwd's in the /etc/passwd by removing the passwd for the user in the /etc/passwd file. Are we can use another passwd file for this. or any other respository to store the passwd's as like ldap or nis or nisplus etc.
We can use + or - signs to give access and ignore on NIS type on non-trusted systems.
Users can login without any passwd in non-trusted modes.
Passwd expiration management uses some period of time using min and max. In non-trusted systems,it is rounded to any nearest weeks.
On an untrusted system, only the first eight characters of a password are significant.
passwd changes from old to New passwd can be done with out any restrictions. We can put the same old passwd as new passwd
Trusted systems:
================
User passwd informations are stored in the /tcb/files/auth/*/* (Protected password database used when system is converted to trusted system)
Hacking passwd using the passwd database files are not possible.
we can not use NIS's + or - for giving access to user or ignore them
users cannot use the blank passwd on the trusted mode.
Passwd expiration management uses the corresponding week days for the calculation of min or max periods
we can have passwd upto 40 character length( upto 40 character length is advisable)
passwd changes from old to new is having a restriction as 3 characters must be changed and 1 character for admin users in trusted mode.
Trusted systems are used to secure the systems from passwd database hack and with acl settings.
see the default,passwd man pages to know more.
We can identify the system is trusted or non-trusted using the file /tcb/files/auth/system/default or with iscomsec call.
We can audit the trusted systems log using sam.
Unix basic trusted systems functionality is specified here at,
http://osr5doc.ca.sco.com:457/OSAdminG/ssC.trusted_concepts.html
Regards,
Muthukumar.
=====================
User informations for the system are stored in the /etc/passwd ( files ) ldap database (ldap) etc. When a user enters into the system,his login and passwd details are verified as identification & authentication method using the encryped passwd in /etc/passwd file.
We can hack the passwd's in the /etc/passwd by removing the passwd for the user in the /etc/passwd file. Are we can use another passwd file for this. or any other respository to store the passwd's as like ldap or nis or nisplus etc.
We can use + or - signs to give access and ignore on NIS type on non-trusted systems.
Users can login without any passwd in non-trusted modes.
Passwd expiration management uses some period of time using min and max. In non-trusted systems,it is rounded to any nearest weeks.
On an untrusted system, only the first eight characters of a password are significant.
passwd changes from old to New passwd can be done with out any restrictions. We can put the same old passwd as new passwd
Trusted systems:
================
User passwd informations are stored in the /tcb/files/auth/*/* (Protected password database used when system is converted to trusted system)
Hacking passwd using the passwd database files are not possible.
we can not use NIS's + or - for giving access to user or ignore them
users cannot use the blank passwd on the trusted mode.
Passwd expiration management uses the corresponding week days for the calculation of min or max periods
we can have passwd upto 40 character length( upto 40 character length is advisable)
passwd changes from old to new is having a restriction as 3 characters must be changed and 1 character for admin users in trusted mode.
Trusted systems are used to secure the systems from passwd database hack and with acl settings.
see the default,passwd man pages to know more.
We can identify the system is trusted or non-trusted using the file /tcb/files/auth/system/default or with iscomsec call.
We can audit the trusted systems log using sam.
Unix basic trusted systems functionality is specified here at,
http://osr5doc.ca.sco.com:457/OSAdminG/ssC.trusted_concepts.html
Regards,
Muthukumar.
Easy to suggest when don't know about the problem!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 03:54 AM
тАО07-16-2004 03:54 AM
Re: Trusted system vs Non trusted system
Hi,
Here's a nice write-up on the same topic:
"1. A trusted system allows system auditing to be turned on.
System auditing enables the ability to trace every system call issued by each user on the system. Non-trusted systems run with system auditing disabled.
2. Trusted systems have improved password management.
Below is a list of password management features:
a. Specification of a grace period and expiration period for passwords.
b. The ability to specify system-wide password aging.
c. The ability to specify an absolute account life.
d. The ability to disable accounts after repeated login failures.
e. Passwords lengths of up to forty (40) characters.
f. The ability to access a random password generator.
3. Trusted systems have additional login restrictions, while non-trusted systems do not. Below are the features of trusted system login restrictions:
a. In addition to account disabling, the account may also be locked.
b. Setting accounts to be accessed only at certain times of the day.
c. The ability to specify account location access. In other words, account access at specific devices, workstations, and so on.
d. The ability to specify a single-user boot password.
Note: These login restrictions are NOT available on NON-TRUSTED systems.
4. A trusted system has shadowed passwords, while a non-trusted system does not have shadowed passwords. Shadowed passwords are kept in locations other an /etc/passwd. This prevents users from viewing /etc/passwd file and determining which accounts do not have passwords. This also prevents hackers from running "password cracker programs" against passwords in the /etc/passwd file.
For more information, please refer to the following document:
"Administering Your HP-UX Trusted System"
The document is located at the following web site:
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
Locate the "Description of the HP-UX Trusted System" section in
the left menu. The following two pages contain more information:
o What is a Trusted System?
o What is C2-Level Trusted Mode?"
Source: http://www.faqs.org/faqs/hp/hpux-faq/section-68.html
HTH.
Regards,
Sri Ram
Here's a nice write-up on the same topic:
"1. A trusted system allows system auditing to be turned on.
System auditing enables the ability to trace every system call issued by each user on the system. Non-trusted systems run with system auditing disabled.
2. Trusted systems have improved password management.
Below is a list of password management features:
a. Specification of a grace period and expiration period for passwords.
b. The ability to specify system-wide password aging.
c. The ability to specify an absolute account life.
d. The ability to disable accounts after repeated login failures.
e. Passwords lengths of up to forty (40) characters.
f. The ability to access a random password generator.
3. Trusted systems have additional login restrictions, while non-trusted systems do not. Below are the features of trusted system login restrictions:
a. In addition to account disabling, the account may also be locked.
b. Setting accounts to be accessed only at certain times of the day.
c. The ability to specify account location access. In other words, account access at specific devices, workstations, and so on.
d. The ability to specify a single-user boot password.
Note: These login restrictions are NOT available on NON-TRUSTED systems.
4. A trusted system has shadowed passwords, while a non-trusted system does not have shadowed passwords. Shadowed passwords are kept in locations other an /etc/passwd. This prevents users from viewing /etc/passwd file and determining which accounts do not have passwords. This also prevents hackers from running "password cracker programs" against passwords in the /etc/passwd file.
For more information, please refer to the following document:
"Administering Your HP-UX Trusted System"
The document is located at the following web site:
http://docs.hp.com/hpux/onlinedocs/B2355-90121/B2355-90121.html
Locate the "Description of the HP-UX Trusted System" section in
the left menu. The following two pages contain more information:
o What is a Trusted System?
o What is C2-Level Trusted Mode?"
Source: http://www.faqs.org/faqs/hp/hpux-faq/section-68.html
HTH.
Regards,
Sri Ram
"What goes up must come down. Ask any system administrator."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2004 04:00 AM
тАО07-16-2004 04:00 AM
Re: Trusted system vs Non trusted system
Hi,
You might also be interested in these docs:
a) www.giac.org/practical/GSEC/Stephen_Radford_GSEC.pdf
b) wwws.sun.com/software/whitepapers/wp-ts8/ts8-wp.pdf
HTH.
Regards,
Sri Ram
You might also be interested in these docs:
a) www.giac.org/practical/GSEC/Stephen_Radford_GSEC.pdf
b) wwws.sun.com/software/whitepapers/wp-ts8/ts8-wp.pdf
HTH.
Regards,
Sri Ram
"What goes up must come down. Ask any system administrator."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2004 03:44 AM
тАО07-17-2004 03:44 AM
Re: Trusted system vs Non trusted system
Don't use it unless you have to AND you have tested it thoroughly.
C2 (Trusted) will break most client-server application authentication as the method used to get password information changes. Instead of using getpwent, the call changes to getprpwent. If the client software does not cater for this then it will stop working.
Also you need to be aware that enabling C2 also enables all sorts of auditing controls. We had a weird problem with cron after enabling C2!
Other issues we saw were to do with things like passwords (though this may have since been addressed). IF the password was not C2 compliant BEFORE the system was converted to C2, the it was not possible to change the password at all. Nor was it possible to log in. Luckily that time round I still had an active root session....
Finally, yes, the shadow password capability is now available as a separate software depot. However, certainly when I last looked at this it did NOT support a number of the name services (NIS and LDAP certainly).
The answer is to test, test, test, then test some more before committing to running your applications on a trusted system.
If you have a development environment, then I'd start there - if your developers are forced to work and develop on a C2 system, then the code they develop will more likely work in a C2 production envieonment.
Col.
C2 (Trusted) will break most client-server application authentication as the method used to get password information changes. Instead of using getpwent, the call changes to getprpwent. If the client software does not cater for this then it will stop working.
Also you need to be aware that enabling C2 also enables all sorts of auditing controls. We had a weird problem with cron after enabling C2!
Other issues we saw were to do with things like passwords (though this may have since been addressed). IF the password was not C2 compliant BEFORE the system was converted to C2, the it was not possible to change the password at all. Nor was it possible to log in. Luckily that time round I still had an active root session....
Finally, yes, the shadow password capability is now available as a separate software depot. However, certainly when I last looked at this it did NOT support a number of the name services (NIS and LDAP certainly).
The answer is to test, test, test, then test some more before committing to running your applications on a trusted system.
If you have a development environment, then I'd start there - if your developers are forced to work and develop on a C2 system, then the code they develop will more likely work in a C2 production envieonment.
Col.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP