HPE Community
Operating System - HP-UX
1834650 Members
1820 Online
110069 Solutions
New Discussion

Re: Trusted Systems

 
Chris Devlin_1
Occasional Contributor

‎04-10-2003 05:48 AM

‎04-10-2003 05:48 AM

Trusted Systems

Hi

I am trying to find out if it is possible to have an individual user on a trusted system non-trusted. I need this to have a user and password the same for an in-house application.

Many thanks
Chris
0 Kudos
Reply
11 REPLIES 11
Darren Prior
Honored Contributor

‎04-10-2003 05:57 AM

‎04-10-2003 05:57 AM

Re: Trusted Systems

Hi Chris,

Nope, you cannot have an individual "untrusted" as it's the system that's trusted, rather than on a user by user basis.

Can you explain what you require for this user in a little more detail, as there are some areas of configuration for individuals.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Ravi_8
Honored Contributor

‎04-10-2003 05:58 AM

‎04-10-2003 05:58 AM

Re: Trusted Systems

Hi Chris,

you can't have as the password conditions apply to all users(including root) in a trusted machine
never give up
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎04-10-2003 05:59 AM

‎04-10-2003 05:59 AM

Re: Trusted Systems

Darren forgive me, but take a look at this doc.

Trusted System: determine which accounts have password aging disabled

http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000065676965

So it is possible ?

Robert-Jan.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-10-2003 06:00 AM

‎04-10-2003 06:00 AM

Re: Trusted Systems

trusted is a system state, not a user state.

The best you can do is set the password length minimum on the trusted system to 8 and make the passwords the same.

Secure shell and public key exchange might help. Attaching a cookbook and a link to the free software.

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Darren Prior
Honored Contributor

‎04-10-2003 06:11 AM

‎04-10-2003 06:11 AM

Re: Trusted Systems

Robert-Jan, you're totally forgiven ;) It's fine to have password ageing disabled for a user.

I'm not 100% sure what the original poster is after; if his application doesn't use the correct system calls to access the password info for a user then he'll have to have the system untrusted, on the other hand maybe he wants to have an identical password for a user on 2 systems and is trying to see if this is possible with trusted systems.

Hopefully we'll find out more when he discovers all the replies :)

regards,

Darren
Calm down. It's only ones and zeros...
0 Kudos
Reply
Chris Devlin_1
Occasional Contributor

‎04-10-2003 06:15 AM

‎04-10-2003 06:15 AM

Re: Trusted Systems

Hi Darren

Basically we have 500+ machines (combination of UNIX and NT) around Europe which currently ftp information to this server. The ftp login they use currently has a user/password combination which is the same. This is no problem at present as our server is untrusted. I have been told that this server must be trusted, and it is not an option to change the password as it would mean an update of the 500+ machines.

Any ideas?

Thanks
Chris
0 Kudos
Reply
Darren Prior
Honored Contributor

‎04-10-2003 06:31 AM

‎04-10-2003 06:31 AM

Re: Trusted Systems

Hi Chris,

In that case Robert-Jan's post contains a link to the answer you require. :)

It's not a problem to turn off password ageing for your single user. The system is still trusted (with all the benefits and features.)

I hope you have security measures in place to limit the access of this user, as it's not the best solution to have 500 odd machines with a hardcoded password into your server!

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Chris Devlin_1
Occasional Contributor

‎04-10-2003 06:48 AM

‎04-10-2003 06:48 AM

Re: Trusted Systems

Hi Darren

Just to confirm, what I need here is an example:

username is: jbloggs
password is: jbloggs

on a trusted server when you try to have the same password as the username you get the error: "Password cannot be circular shift of logonid." On a untrusted system this is not a problem.

I am looking for a way around this on a trusted server.

Thanks
Chris
0 Kudos
Reply
Darren Prior
Honored Contributor

‎04-10-2003 07:00 AM

‎04-10-2003 07:00 AM

Re: Trusted Systems

Hmmm, I didn't think you could do that on an untrusted system!

It appears that even root cannot set a password to the same string as the username on a trusted system. There isn't a way of weakening the security of the passwd command, only for strengthening it!

If you really, really wanted to force this password to the username you could potentially use crypt to encrypt it and then put it in the relevent user's file. I'd say that would be a terribly bad idea though...

In terms of security, it's really not a good idea to have the password matching the username. I reckon it might be time to change the password to something else and make the change on all those machines. The bonus is that as it is stored in a script you can make the password very obscure - just a random collection of characters as no-one needs to remember it!

regards,

Darren
Calm down. It's only ones and zeros...
0 Kudos
Reply
Steve Mills_1
Occasional Contributor

‎04-10-2003 07:02 AM

‎04-10-2003 07:02 AM

Re: Trusted Systems

Chris,

I can hear your spurs chink from here, so as you're clearly a cowboy, here's a cowboy solution.

On another system, or even the same one, change some irrelevant user's passwd to the one you require. Then cut and paste the encrypted passwd from this user into the tcb u_passwd field for the pertinent user.

Cheers
Millsy
(chink)

0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎04-10-2003 07:46 AM

‎04-10-2003 07:46 AM

Re: Trusted Systems

Chris,

Why does your system have to be trusted?

Is it running 11i?

The reason I ask is that the 'word on the street' is that HPUX11i will soon support a shadow password facility similar to solaris. This might satisfy the auditing/security requirements for your system without the way the passwd command functions changing significantly (although it might have the same issue as trusted)

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.