HPE Community
Operating System - HP-UX
1834093 Members
2333 Online
110063 Solutions
New Discussion

Re: What I should be aware of if turning to Trusted Mode!

 
MAD_2
Super Advisor

‎08-04-2002 02:11 PM

‎08-04-2002 02:11 PM

What I should be aware of if turning to Trusted Mode!

Recently I came up under some scrutiny during a security inspection. One of the suggestions was to turn into trusted mode. What advise can I get about "Trusted Mode" and what I should be concerned about if I do switch my system to "Trusted Mode".

Would it affect applications in any way? How about logins? Where do I start looking so that I can be proactive in case something goes wrong? How difficult is to switch back from "Trusted Mode" in case things do not work out as expected or desired? Please lead me in the right direction to find some answers if any of you can.

Thanks.
Contrary to popular belief, Unix is user friendly. It's just very particular about who it makes friends with
0 Kudos
Reply
10 REPLIES 10
Steven Mertens
Trusted Contributor

‎08-04-2002 02:51 PM

‎08-04-2002 02:51 PM

Re: What I should be aware of if turning to Trusted Mode!

hi,

If you turn your system into trusted mode,
the encrypted password will no longer reside
in /etc/passwd. There will be a directory
/tcb that contains all the specific userfiles.
So its not possible for ordinary users
to get the encrypted password, because
weak paswords can easily be cracked.

If you have applications that make use of
/etc/passwd you will have some trouble a guess.

I think (not sure) you can easily go back
from a trusted to a non-trusted system.

rgds.,

Steven
0 Kudos
Reply
Scott Van Kalken
Esteemed Contributor

‎08-04-2002 04:00 PM

‎08-04-2002 04:00 PM

Re: What I should be aware of if turning to Trusted Mode!

you can easily go back from a trusted system using the command tsconvert -r

however, all passwords are then truncated.
0 Kudos
Reply
Michael Tully
Honored Contributor

‎08-04-2002 04:17 PM

‎08-04-2002 04:17 PM

Re: What I should be aware of if turning to Trusted Mode!

Hi,

For a full description have a look at these documents.


http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90121/B2355-90121_top.html&con=/hpux/onlinedocs/B2355-90121/00/00/4-con.html&toc=/hpux/onlinedocs/B2355-90121/00/00/4-toc.html&searchterms=trusted&queryid=20020804-171416
http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90701/B2355-90701_top.html&con=/hpux/onlinedocs/B2355-90701/00/00/65-con.html&toc=/hpux/onlinedocs/B2355-90701/00/00/65-toc.html&searchterms=trusted&queryid=20020804-171416

As described a trusted system removes the passwd encryptions from the /etc/passwd file. It replaces the entry with a '*' character. It also sets up a database under /tcb directory (which must remain in the '/' filesystem).
You can use 'sam' to turn it on or off. You can use the 'tsconvert' command to switch on from the command line. You can use 'tsconvert' to revert it back. Be aware that when turning in *all* users will have their passwds reset, meaning that their account passwords expire immediately.
For further info, check the on-line documents.

HTH
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Wayne Buttie
Occasional Contributor

‎08-04-2002 05:49 PM

‎08-04-2002 05:49 PM

Re: What I should be aware of if turning to Trusted Mode!

I turned one of my systems into a trusted system, and it gave me some problems. Some of our users run an application from their desktop that then logs onto the Unix system. Due to the trusted system mode moving the /etc/passwd file to another area the users application didnt like it and the users could not loging.

My advice is to run this on a test system before placing it on your production system
0 Kudos
Reply
Sajid_1
Honored Contributor

‎08-04-2002 06:22 PM

‎08-04-2002 06:22 PM

Re: What I should be aware of if turning to Trusted Mode!

hello,

As described, trusted mode is more TRUSTED! For answering your questions:
1) Appliactions will not have any direct impact. Check the applications that needs a user login
2) Logins will be affected, there will not be any password entries in /etc/passwd, you can assign password again, accounting etc. It's more secure.
3) You can do a search in the forums and check the issues and advantages about using trsuted mode. Also for documentation, check www.docs.hp.com
4) It's not difficult at all. You can do it through SAM or from command line:
# tsconvert -r
5) I would recommend you to plan first, the way you want to apply C-2 level security to your system. You will get a better idea when you go through the docs.

good luck
learn unix ..
0 Kudos
Reply
Printaporn_1
Esteemed Contributor

‎08-04-2002 07:08 PM

‎08-04-2002 07:08 PM

Re: What I should be aware of if turning to Trusted Mode!

Hi,

Before do conversion , make sure that all user's password not greater than 8 characters.
otherwise , after convert they will not be able to login with same password.
enjoy any little thing in my life
0 Kudos
Reply
Darren Prior
Honored Contributor

‎08-05-2002 12:36 AM

‎08-05-2002 12:36 AM

Re: What I should be aware of if turning to Trusted Mode!

Hi,

There are some applications out there that are not trusted aware, these can cause problems as they read/write the password in /etc/passwd rather than using the correct system calls for password manipulation.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Sanjay Yugal Kishore Ha
Frequent Advisor

‎08-06-2002 08:42 AM

‎08-06-2002 08:42 AM

Re: What I should be aware of if turning to Trusted Mode!

One more point to note what is the target system's configuration - is it basic or NIS+. Note that conversion to trusted mode is not supported in NIS systems.

Check your /etc/nsswitch.conf entries. They should be similar to that of /etc/nsswitch.files or /etc/nsswitch.nisplus depending on whether the system is Basic or NIS+

If the entries are similar to nsswitch.compat or nsswitch.hp_defaults, then conversion of a system to trusted mode locks all the accounts. even the root's and disables remote access, allowing console access only!

Cheers
Dying is the last thing that I will do.
0 Kudos
Reply
Jeffrey S. Sims
Trusted Contributor

‎08-06-2002 09:24 AM

‎08-06-2002 09:24 AM

Re: What I should be aware of if turning to Trusted Mode!

From experience apps that use a login will most likely have problems. Make sure that you have this in mind and don't do it when the system will be needed. I would recommend a friday night so it gives you time to fix what issues WILL arise.

It is definately recommended to convert to a trusted system just be aware of potential problems.

As was suggested earlier, always try this out on a test system first (hopefully one with a similar configuration to the production server).

Hope this helps.
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎08-06-2002 09:46 AM

‎08-06-2002 09:46 AM

Re: What I should be aware of if turning to Trusted Mode!

As Michael stated, *all* of the passwords for all of the login ID's will expire when you activate TCB. Applications that have problems will almost always those that store the login ID and password for the system, which isn't secure and contrary to the whole concept of TCB to begin with. With sufficient comminication and advanced notification for everyone involved, you can minimize if not actually pre-emptively eliminate any downtime from anyone.

Check with the application vendor's to see if the apps running on that system need more than read access to /etc/passwd. A well constructed app should not be writing to /etc/passwd, and should never care where the actual password is stored.

HTH
mark
the future will be a lot like now, only later
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.