Re: understanding /etc/passwd.

senthil_kumar_1 · ‎03-10-2009

Hi All

It is my /etc/passwd

what is the purpose of second filed. I think it is password field.

some line contains * and some other line contains some characters.

what is the difference?

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh

Javed Khan_1 · ‎03-10-2009

Hi,

for above case * means account is locked

Javed

Never Give Up

Ivan Krastev · ‎03-10-2009

The second field is crypted password. See more here - http://docs.hp.com/en/B3921-90010/passwd.4.html

regards,
ivan

Viney Kumar · ‎03-10-2009

Hi

After go through your /etc/passwd file, i think your system is non-trusted system

In non trusted, its means account is locked or you are not assign any passwd for a user

Ashish Parashar · ‎03-10-2009

Hi

Well the second field in the passwd file is for passowrd strings '

You might aware that ,we can have two type of system trusted and nontrusted ...in trusted system the password field conatains * and the actual password string present under /tcb/files/auth directory ..

In non trusted system the string present in password field is actual password of user.

Regards

Ashish

Avinash20 · ‎03-10-2009

The second filed in the /etc/password is for Password of the user.

If it is * it is usually encrypted.

I could find some of the users are having the password "ktieman:4Py4ttQiGGxo <== while some of the users are having "cmurphy:* <<==

I believe you have trusted the server and after that you have untrusted.

When to turn the server into trusted(tsconvert), the password will be encrypted(*) and will be stored in /tcb directory

If you change the again change the system to untrusted, the password field will show as * unless you again change the password.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

Avinash20 · ‎03-10-2009

Please refer to

http://docs.hp.com/en/B3921-60631/passwd.4.html

Look at the "Password Field"

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

senthil_kumar_1 · ‎03-10-2009

I went thru some documents. I found following things.

There are four types of systems available depending password.

1)non-shadowed standard system:

On a non-shadowed standard system, all password fields contain the actual encrypted password in /etc/passwd.

2)shadowed standard system:

all password fields contain an `*' in /etc/passwd, while the actual encrypted passwords reside in /etc/shadow.

3)non trusted system:

On a non trusted system, all password fields contain the actual encrypted password in /etc/passwd.

4)trusted system:

On a trusted system, all password fields contain a `*' in /etc/passwd and the actual encrypted passwords reside in the Protected Password Database
"/tcb/files/auth "

NOTE: A system that has been converted to a trusted system has no /etc/shadow file

Here I have two questions:

1)How to convert HP-UX as trusted system?
2)How to create encrypted password.?

Avinash20 · ‎03-10-2009

Good question:

1)How to convert HP-UX as trusted system?

## You could convert the system to trusted via

# /usr/lbin/tsconvert

2)How to create encrypted password.?

There are two ways.

Shadow password (pwconv)

or

Convert to Trusted.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

Avinash20 · ‎03-10-2009

I would advice you to go via
http://docs.hp.com/en/B2355-90121/

Also instead of tsconvert, it better you go via sam and convert it,.

SAM-> Auditing and security ->system security policies

This will ask for the system to get it trusted !!

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

senthil_kumar_1 · ‎03-10-2009

For example /etc/passwd file is

1)root:3Km/o4Cyq84Xc:0:10:System Administrator:/:/sbin/sh

2)joe:r4hRJr4GJ4CqE:100:50:Joe User,Post 4A,12345:/home/joe:/usr/bin/ksh

Here the second field contains encrypted password in both the entries.

That is some passwords (real words with letters) are converted as Encrypted password and entered here in second filed.

So I am asking that how to creata a real password as encrypted password?

Avinash20 · ‎03-10-2009

Hi,

root:3Km/o4Cyq84Xc <<--

The password is in encrypted.

The idea behind changing the system to trusted or creating a shadow password is to change the location of /etc/passwd.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

Avinash20 · ‎03-10-2009

"So I am asking that how to creata a real password as encrypted password?"

Good question..

But it is not possible, since when you provide the password, lot of algorithm gets executed and hence the above encrypted password gets generated.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

Avinash20 · ‎03-10-2009

How about assigning some points :)

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

senthil_kumar_1 · ‎03-10-2009

Is it possible that some lines have "*" and others have "encrypted password"?

Ex: /etc/passwd

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh

James R. Ferguson · ‎03-10-2009

Hi Senthil:

> So I am asking that how to creata a real password as encrypted password?

# cat mypwgen
#!/usr/bin/perl -l
die "One arg expected\n" unless @ARGV;
print crypt(
$ARGV[0],
join( '',
( '.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z' )[ rand 64, rand 64 ] )
);
1;

...run as:

# ./mypwgen plaintextpw

...the output will be an encrypted password suitable for use with 'useradd'.

Regards!

...JRF...

Avinash20 · ‎03-10-2009

Yes,

Convert the system into Trusted

# /usr/lbin/tsconvert

Password will be in *

Then untrust it

# /usr/lbin/tsconvert -r

Then change the password of any user.

Only for the above user the password will be in encrypted format.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

senthil_kumar_1 · ‎03-10-2009

what is the default system "shadowed" or "trusted"?

James R. Ferguson · ‎03-10-2009

Hi:

Be advised that the Trusted system implematation is deprecated at 11.31 and will not be supported thereafter. You should consider converting to an '/etc/shadow' implementation.

If you are running on 11.11, you can install:

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

If you are running 11.23 or 11.31, no additional software needs to be installed.

Chapter-8 of this guide discusses this:

http://docs.hp.com/en/B2355-90950/index.html

Regards!

...JRF...

Avinash20 · ‎03-10-2009

what is the default system "shadowed" or "trusted"?

Neither. By default the system will come with normal /etc/password having encrypted password.

"Light travels faster than sound. That's why some people appear bright until you hear them speak."

OldSchool · ‎03-10-2009

Ashish assumes that this system has been converted to trusted mode...I don't believe it has. Its simply a standard password system that has some accounts locked.

in a normal untrusted system, a password of "*" indicates the account was locked.
In your example, lines 1-4 the accounts are locked, while in 5-7 the user has a valid passwd assigned (which is encrypted). you won't see "plaintext" in the password field.

1)cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin

as for "2)How to create encrypted password.?"

Huh? As root, "password " will create a password for . Passwords are always encrypted, no matter standard, trusted or shadow.

senthil_kumar_1 · ‎03-11-2009

can you tell me that history of normal system , trusted system and shadowed system?

such as upto which version trusted system available? and in which version shadowed introduced.? and what is the file names such as "/tcb/files/autt" and "/etc/shadow"

Andrew C Fieldsend · ‎03-11-2009

When UNIX was first created, passwords were stored in the second field of /etc/passwd as a one-way hash of the real password. Since the * character isn't included in the output character set of the hash function, a * in the password field can't match any entered password, thus locking the account.

Later, because /etc/passwd had to be world readable to allow various library routines to access the other user details stored there, it was thought that this was insecure, and the /etc/shadow file was added to hold the password hash (still computed in the same way). This file could be readable only by root, as the only routines which needed to access it (login, su, and the like) would have to be effectively running as root.

The implementations of the original passwd and shadow files are fairly consistent across manufacturers, but the various manufacturers implementations of the "trusted systems" concepts are less so. (Possibly this is why trusted systems are now deprecated at 11.31?)

senthil_kumar_1 · ‎03-11-2009

I think the /etc/password history may be

before HP-UX - 9 ---> /etc/passwd

HP-UX 9 ---> /secure/etc/passwd

HP-UX 10+ ---> /tcb/files/auth

HP-UX 11.23+ --> /etc/shadow.

Is this information correct?

which is more secure "/etc/shadow" or "/tcb/file/auth"?

OldSchool · ‎03-11-2009

in the std installation, only /etc/passwd is used.

the 'tbc' related stuff indicates that the system in question has been converted to "trusted". Which as JRF noted above, is deprecated at 11.31 (may not be supported int the future)

"shadow" password package is available for 11.11 and up.

as to which is "more secure", I can't address that, but the current direction is moving away from trusted system to shadow password.

of course there are other authentication methods available (LDAP, NIS+ and so forth).

I'm not sure I understand the facination w/ the "history" and which OS versions used what files / methods...especially versions older than 11.xxx.

What is it you are trying to accomplish?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: understanding /etc/passwd.

understanding /etc/passwd.