Re: Disabling trusted mode - impact? (115 Views)
Reply
Advisor
PM Srividhya
Posts: 33
Registered: ‎02-14-2007
Message 1 of 3 (142 Views)

Disabling trusted mode - impact?

Hello,

 

We are planning for a centralized authentication for our HP-UX and Linux servers through LDAP using the OID (Oracle Internet Directory) integrated with our Microsoft Active Directory.

 

To enable this we need to convert our systems to untrusted mode as in trusted mode long usernames are not supported.


We are planning to centralize only the system/DB administrators and operators user-ids and the service accounts used for application installation will remail locally in the individual server.


Want to know if there will be any impact on the applications like Oracle Databases, Oracle Ebusiness suite, Oracle Apps servers etc. installed on these servers?

 

What will be the overall impact in converting a server from trusted mode to untrusted mode on a production environment?

 

Thanks,
Srividhya

Please use plain text.
Honored Contributor
Patrick Wallek
Posts: 13,720
Registered: ‎06-21-2000
Message 2 of 3 (122 Views)

Re: Disabling trusted mode - impact?

The biggest negative to disabling trusted mode is that your hashed passwords will now be visible in the /etc/passwd file for those accounts you are keeping local.  

 

Since /etc/passwd must be readable by everyone that is a very bad idea.  Someone could potentially grab the passwd file, take it home, and start running programs like John The Ripper or Crack or other things to try to discover passwords.

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 3 of 3 (115 Views)

Re: Disabling trusted mode - impact?

How about switching to shadow password mode? That would fix the weakness of having the local password hashes visible in /etc/passwd.

 

As far as I know, most Oracle products you mentioned would tend to have their own built-in authentication systems, instead of relying on system passwords. So the impact to applications from the trusted -> non-trusted (-> shadow?) transition should be minimal or non-existent.

 

Just remember that a transition from trusted to non-trusted mode will truncate the stored password hashes so that only the first 8 characters of the stored passwords are retained. So if the user has more than 8 characters in his/her password, there might be some issues. (Usually the non-trusted mode will simply ignore any characters after the 8th when checking a password, but there might be some special snowflake software that insists on exact match. )

MK
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation