shadow vs trusted (33 Views)
Reply
Respected Contributor
David Bellamy
Posts: 211
Registered: ‎06-29-1999
Message 1 of 5 (33 Views)

shadow vs trusted

hi all,

i have a system that i have to protect the passwd file, but dont want to trust. is there a way to implement some sort of shadow passwd file on a regular unix system without having to convert to a trusted system

thx in advance
Please use plain text.
Honored Contributor
Patrick Wallek
Posts: 13,711
Registered: ‎06-21-2000
Message 2 of 5 (33 Views)

Re: shadow vs trusted

There is no shadow password file on HP-UX. It is available on sun solaris though. Other than converting your system to trusted, there is not a way I know of the protect the password file from prying eyes.
Please use plain text.
Honored Contributor
Duncan Edmonstone
Posts: 5,677
Registered: ‎08-05-2000
Message 3 of 5 (33 Views)

Re: shadow vs trusted

Why not trust the system?

Do you use NIS? (this is the only reason I can think of for avoiding a trusted system)

HTH

Duncan
Please use plain text.
Respected Contributor
David Bellamy
Posts: 211
Registered: ‎06-29-1999
Message 4 of 5 (33 Views)

Re: shadow vs trusted

thx for the responses,
the reason we didnt want to implement a trusted system had to do with passwd syncing, etc for a serviceguard environment, also its sister node in that environment runs peoplesoft, which is not C2 certified
Please use plain text.
Honored Contributor
Christopher Caldwell
Posts: 697
Registered: ‎06-04-1996
Message 5 of 5 (33 Views)

Re: shadow vs trusted

trusted and C2 aren't the same thing. Just because it's trusted, doesn't mean you mean you meet the governments C2 certification criteria.

In HP'ese, if you are Trusted and you employ all of the safeguards required by the government, the you're C2. Many of the requirements have to do with auditing and the like (things you get by being trusted, but not necessarily things you have to use when you are trusted). If your not DOD or DOE, you shouldn't have to worry about C2.

Given that, Trusted and Shadow are fairly similar. It's certainly possible to keep password sync'd between trusted/non-trusted system; it just might be a little harder. Just as there are password extraction capabilities for non-trusted systems, there are similar capabilities for trusted systems:
see
man getprpwent
vs
man getpwent

You can use these capabilites to keep things in sync.

Usually if a vendor doesn't run on a trusted system, it's because they haven't taken the 10 minutes required to conditionally reference the trusted system library calls and link to a library :-(.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation