Trusted system after pwconv (255 Views)
Reply
Advisor
Timothy Nibbe
Posts: 25
Registered: ‎09-19-2007
Message 1 of 8 (255 Views)

Trusted system after pwconv

I have a system running 11i v2 that has had the pwconv command ran on it to create shadow passwords.

I want to convert the system to a Trusted system, and SAM will not allow me to do this because of the shadow passwords.

Can a system that has had the pwconv command ran on it be converted to a Trusted system?
Honored Contributor
Kapil Jha
Posts: 1,478
Registered: ‎01-23-2006
Message 2 of 8 (255 Views)

Re: Trusted system after pwconv

u have to do pwunconv and then convert to trusted.
system with shadow passwd can not be trusted.
BR,
Kapil
I am in this small bowl, I wane see the real world......
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 3 of 8 (255 Views)

Re: Trusted system after pwconv

Hi Timothy:

You either run a shadow password implementation or a TCB one. If you wish to transition to TCB, you can run 'pwunconv(1m)' to disable shadow passwords and then convert to a TCB.

I would point out that as of 11.31, Trusted system implementations are deprecated.

Bill Hassell has some good comments in this thread:

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1214608

Regards!

...JRF...

Honored Contributor
Kapil Jha
Posts: 1,478
Registered: ‎01-23-2006
Message 4 of 8 (255 Views)

Re: Trusted system after pwconv

>>system with shadow passwd can not be trusted
should be

>>system with shadow passwd can not be TCB

this could make sm difference in understanding ;)

Kapil
I am in this small bowl, I wane see the real world......
Advisor
Timothy Nibbe
Posts: 25
Registered: ‎09-19-2007
Message 5 of 8 (255 Views)

Re: Trusted system after pwconv

Thanks.

I was needing to implement account lockout after n login failures and the only way I could see to do that was to go to Trusted mode.
Honored Contributor
Bill Hassell
Posts: 14,226
Registered: ‎05-29-2000
Message 6 of 8 (255 Views)

Re: Trusted system after pwconv

Actually, there is a new package for 11.23 and later called Standard Mode Security Extension (SMSE). Trusted is the best choice as it has a large set of controls for authentication but old applications often do not use PAM and assume all Unix boxes have a shadow password file. SMSE adds the needed enhancements but retain a more compatible interface for the old stuff.
Honored Contributor
Emil Velez
Posts: 1,450
Registered: ‎05-17-2000
Message 7 of 8 (255 Views)

Re: Trusted system after pwconv

Standard Mode Security Extensions SMSE

provides you most of the features of trusted systems really except for generating passwords. You can restrict certain users to certain passwords. you can lock the account after a certain number of retries. It is configured with a command called

userdbset and userdbget look them up.

If you attend the HPUX Security class we cover the features there.
Advisor
Timothy Nibbe
Posts: 25
Registered: ‎09-19-2007
Message 8 of 8 (255 Views)

Re: Trusted system after pwconv

Thank you very much.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.