HPE Community
Operating System - HP-UX
1854815 Members
12473 Online
104103 Solutions
New Discussion

Untrusting A Trusted System

 
SOLVED
Go to solution
Clay Jordan
Advisor

‎07-16-2004 01:04 PM

‎07-16-2004 01:04 PM

Untrusting A Trusted System

I am upgrading a trusted server to new hardware and would like to untrust it to make it easier to oonvert users and groups. This is my first time working with a trusted system and I have never untrusted a server before but have heard some nightmares about it ? Any experience on doing this at 11.11 ?
0 Kudos
Reply
7 REPLIES 7
Jim Mallett
Honored Contributor

‎07-16-2004 01:38 PM

‎07-16-2004 01:38 PM

Re: Untrusting A Trusted System

I believe the supported (HP) method of converting it is within SAM:
Auditing and Security -> Audited Events -> Actions -> Unconvert the System


I have only done it once and I used the command line: tsconvert -r

Jim
Hindsight is 20/20
0 Kudos
Reply
Jim Mallett
Honored Contributor

‎07-16-2004 01:40 PM

‎07-16-2004 01:40 PM

Re: Untrusting A Trusted System

Sorry, I believe the tsconvert is under lbin, so it should be the full path:
/usr/lbin/tsconvert -r

Jim
Hindsight is 20/20
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-16-2004 03:24 PM

‎07-16-2004 03:24 PM

Solution

Re: Untrusting A Trusted System

An important note: A Trusted system allows very long passwords so when you un-trust the system, those users will have their passwords broken. You can identify these logins in the /tcb/files/auth directory. In each file under the single letter directories, you can grep for: u_pwd and looking for encrypted strings that are longer than 13 characters. These accounts will need passwords reset.


Bill Hassell, sysadmin
Reply
twang
Honored Contributor

‎07-16-2004 03:47 PM

‎07-16-2004 03:47 PM

Re: Untrusting A Trusted System

To convert to non-trusted systems from trusted systems:
1. login as root
2. execute the command:
# /usr/lbin/tsconvert -r
3. verify that the /etc/passwd file is returned to normal (no '*' in passwd position)
4. verify that the /tcb directory does not exist

Of course you may do it using SAM tool.
Reply
Michael Tully
Honored Contributor

‎07-16-2004 05:18 PM

‎07-16-2004 05:18 PM

Re: Untrusting A Trusted System

One further important note. Be aware that when you trust a system again, all password will expire immediately.
Anyone for a Mutiny ?
Reply
Bharat Katkar
Honored Contributor

‎07-16-2004 06:19 PM

‎07-16-2004 06:19 PM

Re: Untrusting A Trusted System

HI,
Well to untrust the system use:
# /usr/lbin/tsconvert -r
For more details about TCB administration the doc attached.

Regards,
You need to know a lot to actually know how little you know
Reply
Clay Jordan
Advisor

‎07-16-2004 10:15 PM

‎07-16-2004 10:15 PM

Re: Untrusting A Trusted System

Thanks to all for your help
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.