HPE Community
Operating System - HP-UX
1847844 Members
2793 Online
104021 Solutions
New Discussion

Re: Trusted Systems.

 
SOLVED
Go to solution
John Tyler
Advisor

‎12-11-2002 05:46 AM

‎12-11-2002 05:46 AM

Trusted Systems.

Hello!

I know the many advantages of running HP/UX as a trusted system.

What are the drawbacks ? What do one lose when the system is converted to trusted system?

Does it still support R-fuctions like RCP/RSH ? I know ssh is preferred.

Is it supported on servers running Service Guard.

Any comment/suggestion is appreciated.

TIA
0 Kudos
Reply
9 REPLIES 9
Ken Hubnik_2
Honored Contributor

‎12-11-2002 05:51 AM

‎12-11-2002 05:51 AM

Solution

Re: Trusted Systems.

The only drawback is a little more administration of user accounts and also the root account falls into the same rules as other user accounts.

It does support the R commands.

It does run in a service guard environment.

I prefer to use Trusted systems because the added security benefits.
Reply
Christian Gebhardt
Honored Contributor

‎12-11-2002 05:54 AM

‎12-11-2002 05:54 AM

Re: Trusted Systems.

Hi
All passwords are changed if you convert to trusted system.
I do not know other problems.
Chris
Reply
John Tyler
Advisor

‎12-11-2002 06:12 AM

‎12-11-2002 06:12 AM

Re: Trusted Systems.

I heard of certain issues with running R-functions between trusted and non-trusted system,

Can someone confirm that r-functions work between trusted and non trusted systems. (both ways using .rhosts for automatic login).

The problem is that we have user scripts whichg uses rcp and remsh to copy and run commands on remote systems.

So should we convert them all to trusted at the same time?

Thanks,

0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎12-11-2002 06:41 AM

‎12-11-2002 06:41 AM

Re: Trusted Systems.

Trusted system do work with all the 'r' commmands. But before changing all the system to trusted do take backup of /etc/passwd file.

-USA..
Good Luck..
Reply
Timothy P. Jackson
Valued Contributor

‎12-12-2002 06:57 AM

‎12-12-2002 06:57 AM

Re: Trusted Systems.

Make sure that you check your applications. Trusted systems use different libraries for verifing users, user id's and probably other functions.

Tim
0 Kudos
Reply
nck2pg2
Advisor

‎12-12-2002 09:00 PM

‎12-12-2002 09:00 PM

Re: Trusted Systems.

I found out that trusted system won't allow rlogin without prompting for password.
0 Kudos
Reply
Wiryanto Victor
Occasional Advisor

‎12-12-2002 10:22 PM

‎12-12-2002 10:22 PM

Re: Trusted Systems.

When I converted mine to trusted system, I found out that after 3 tries of wrong password entered via telnet session, the account would be locked. But, I managed to resolve by logging in from console. But still, that would give a chance to other admins/users to sabotage the account.
0 Kudos
Reply
John Payne_2
Honored Contributor

‎12-12-2002 10:57 PM

‎12-12-2002 10:57 PM

Re: Trusted Systems.

You lose the ability to forget root password and boot to single user mode to just to reset. (Asks for old password when trusted.) A work around for this is to have a user (like you) with restricted sam permissions. (You could log in and untrust your system, among other things.)

The trusted system stuff lets you configure the number of incorrect logins allowed before a suspend, and stuff like that.

Other than that, there aren't really too many problems with having a trusted system. You may want to be careful about how you trust the system if you have had users on the system for some time, as the default policies tend to expire passwords and stuff like that. After converting, I would definitely leave your root session logged in to make sure everything's happy.

We have one system that is untrusted due to some dumb little database/application problem with the tcb structure. It is a 10.20 box with an old informix database on it. Everything else is trusted, and it works fine.

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
mvr
Regular Advisor

‎12-13-2002 05:40 AM

‎12-13-2002 05:40 AM

Re: Trusted Systems.

Couple of thinks to make life easier:

1)Make a copy of /etc/passwd
2)Make sure you don't have any special caracters in the /etc/passwd (If you are running SAMBA and your workstation need to be member of the domani, where HP-UX is PDC, than you have entry in your /etc/passwd something like wsat1$:*:.......)
3)All of your passwords will be expired, I suggest you to execute comand modprpw -V and save some hadakes
4)HAVE AT LEAST TWO SESSIONS OPENED AS A ROOT (just in case if you lock out your root user)

Good luck

Miro
4)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.