HPE Community
Operating System - HP-UX
1834149 Members
2360 Online
110064 Solutions
New Discussion

trusted system

 
SOLVED
Go to solution
Brozza_1
Occasional Contributor

‎11-23-2003 08:12 PM

‎11-23-2003 08:12 PM

trusted system

Hi all!

Can any of you tell me about his/her experience with trusted systems under hpux 11.00 and 11.11? The thing is we'd like to convert our systems to trusted and need to know if there is any disadvantage with it. Thanks.
0 Kudos
Reply
8 REPLIES 8
Fabio Ettore
Honored Contributor

‎11-23-2003 08:39 PM

‎11-23-2003 08:39 PM

Re: trusted system

Hi Brozza,

on docs.hp.com you can find many useful hints and suggestions to manage your trusted system and eventual known problems.
Anyway
KBRC00012678 - TRUSTED: System generated password length exceeds maximum length

already reports a warning about password lenghts and

KBRC00010639 - Troubleshooting a Trusted system

about a general troubleshooting on trusted system.

I hope this helps you.

Best regards,
Ettore
WISH? IMPROVEMENT!
0 Kudos
Reply
Mei Jiao
Respected Contributor

‎11-23-2003 10:31 PM

‎11-23-2003 10:31 PM

Solution

Re: trusted system

In my experience, the most frequent problem reported for a Trusted System is that, the root user account being disabled, after root's password being keyed in wrong for 3 times (by default is 3 times).

To resolve this, you must bring the system down to single-user mode to change the root password.

Or you may want to increase the 'Unsuccessful Login Tries Allowed' from 'General User Account Policies' using SAM to increase the number.

Hope this helps!
Reply
RAC_1
Honored Contributor

‎11-23-2003 11:25 PM

‎11-23-2003 11:25 PM

Re: trusted system

I never had any problems with trusted systems.

Yiu have more control on passwors, expiry time and whole lot of other details. For accounts getting disabled, you can set max. no. unsuccessful logins. For root I always set it bit high,

Also immedialtely after to you convert to trusted systems , in order to avoid getting all logins expired, execute the following command.

/usr/lbin/modprpw -V

Check the man pages for getprpw, getprdef, modprpw, modprdef.

Hope this helps.
There is no substitute to HARDWORK
0 Kudos
Reply
Marco Santerre
Honored Contributor

‎11-23-2003 11:50 PM

‎11-23-2003 11:50 PM

Re: trusted system

Trusted Systems are very nice to have especially if your corporation is audited. It allows you to set up password aging, accounts deactivation and neat security stuff.

Most of the problems I've encountered have to do with account deactivation. People don't always remember that they only have 3 (or x number of times) to get their password right before being locked. Also, has already mentionned, root being locked can create havoc (especially if you don't have another root-type account), cause not only will it lock you root and stop from accessing it, but if you're using r-commands, like in ServiceGuard, it'll always ask you for password, and even if it's the right one, it won't work, causing jobs to fail.

But in my mind, the advantages far outweight the disadvantages.
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎11-24-2003 09:37 PM

‎11-24-2003 09:37 PM

Re: trusted system

Brozza, can you tell us why you want to convert to trusted systems? Is it because of protected passwords, auditing, password restrictions or some other reason? Knowing what's important to you would help us give you better answers.

Do you run NIS? You can't mix trusted mode and NIS.

If you decide to convert to trusted mode, be sure you have current patches for libsec, tsconvert and libpam before converting. That will help you avoid several potential problems.

0 Kudos
Reply
James Lynch
Valued Contributor

‎11-25-2003 12:45 AM

‎11-25-2003 12:45 AM

Re: trusted system

One point to note on re-enabling the root account after it has been disabled/locked. You should not have to bring the system to single user mode in order to reactivate the account. All you have to do is login successfully from the console as root. Even with the system being trusted, root access is always allowed from the console, even if the account is locked. The act of loggin in on the console as root will automatically reactivate the root account.

JL
Wild turkey surprise? I love wild turkey surprise!
0 Kudos
Reply
Mei Jiao
Respected Contributor

‎11-25-2003 01:32 PM

‎11-25-2003 01:32 PM

Re: trusted system

James, you're right. I've done testing on a server, after the root account being locked/disabled, login through its console can automatically re-activate the root account. Will take note of this. :)

By the way, I think bring the system down to single-user mode to re-activate the root account is unavoidable for a workstation? Unless we have another active telnet session login as root?
0 Kudos
Reply
James Lynch
Valued Contributor

‎11-25-2003 11:46 PM

‎11-25-2003 11:46 PM

Re: trusted system

I'm not 100% sure on this, since I don't have a workstation to test on, but I think that you should still be able to login as root without bringing down the system to single user mode. Remember that the the graphics head that you normally login on is also the console port. You may just need to bypass the CDE window environment. This is usually accomplished by selecting an option from the login (dtgreet) screen to login as a text/normal session.

JL
Wild turkey surprise? I love wild turkey surprise!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.