1834156 Members
2407 Online
110064 Solutions
New Discussion

Trusted Systems

 
SOLVED
Go to solution
Erich Donze
Occasional Advisor

Trusted Systems

I'd like to turn on shadowed passwords. I tried
/usr/sbin/pwconv
It said I needed to use sam and convert the system to a trusted system. I'd like to do this, but I'm concerned that it will do crazy things, like force me to change passwords that more than one person needs access to, or that is coded in a script somewhere. Should I trust trusted systems? Is there a way to implement just portions of the trustedness? Thanks in advance,
Erich
7 REPLIES 7
Hai Nguyen_1
Honored Contributor

Re: Trusted Systems

Erich,

Using SAM to to turn your system into the trusted environment is th safest and easiest way. It will NOT force you to change passwords.

Hai
Paul Sperry
Honored Contributor

Re: Trusted Systems

use SAM to convert you system to trusted. If a code or script breaks you can always use sam to go back to being untrusted. I
Bill Douglass
Esteemed Contributor
Solution

Re: Trusted Systems

You didn;t mention, but if you're on 11i you can install the ShadowPassword product seperately from converting to a trusted system.

D/L the software from

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=ShadowPassword
Jeff Schussele
Honored Contributor

Re: Trusted Systems

Hi Erich,

Be careful - converting to trusted CAN alter PWs. Specifically PWs *longer* than 8 chars. What happens is ONLY the first 8 chars are converted, BUT when you enter the original PW ALL the chars are evaluated. Will work if after converting you ONLY enter the first 8 chars of the org PW.
Another thing to do when converting is to have TWO root windows open so that when you test the root login/PW - you have *another* window where you can manipulate the root PW from...just in case.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Michael Tully
Honored Contributor

Re: Trusted Systems

If you have an environment where people share passwords ... security problem ...
Your better to get these people to use seperate accounts and run the same profile/menu program where you can.
if they need command line access, then have them 'su' to these accounts. Then at least everything is logged.

As far as passwords are concerned, and the length of these, Jeff has answered this question. Do bear in mind that *all* passwords expire when converting to a trusted system.

Regards
Michael
"When I have trouble spelling, it's called fat finger syndrome"

Anyone for a Mutiny ?
Keith Buck
Respected Contributor

Re: Trusted Systems

Note that using SAM or Bastille to convert to trusted system uses modprpw to NOT expire all password immediately. Using tsconvert manually expires passwords as a default side-effect.

If all you need is shadow passwords, definitely try the "Shadow Password" product mentioned above. Trusted systems also enables a lot of auditing features, which may or may not be needed in your environment.

-Keith
Erich Donze
Occasional Advisor

Re: Trusted Systems

I knew I was going to get flamed about the shared accounts. I should've added a disclaimer. I should write a book: 'When Best Pracices Aren't Practical, Or Even Practicable.'