shadow vs trusted (137 Views)
Respected Contributor
Posts: 211
Registered: ‎06-29-1999
Message 1 of 5 (137 Views)

shadow vs trusted

hi all,

i have a system that i have to protect the passwd file, but dont want to trust. is there a way to implement some sort of shadow passwd file on a regular unix system without having to convert to a trusted system

thx in advance
Honored Contributor
Posts: 13,908
Registered: ‎06-21-2000
Message 2 of 5 (137 Views)

Re: shadow vs trusted

There is no shadow password file on HP-UX. It is available on sun solaris though. Other than converting your system to trusted, there is not a way I know of the protect the password file from prying eyes.
Honored Contributor
Posts: 5,684
Registered: ‎08-05-2000
Message 3 of 5 (137 Views)

Re: shadow vs trusted

Why not trust the system?

Do you use NIS? (this is the only reason I can think of for avoiding a trusted system)


Respected Contributor
Posts: 211
Registered: ‎06-29-1999
Message 4 of 5 (137 Views)

Re: shadow vs trusted

thx for the responses,
the reason we didnt want to implement a trusted system had to do with passwd syncing, etc for a serviceguard environment, also its sister node in that environment runs peoplesoft, which is not C2 certified
Honored Contributor
Posts: 697
Registered: ‎06-04-1996
Message 5 of 5 (137 Views)

Re: shadow vs trusted

trusted and C2 aren't the same thing. Just because it's trusted, doesn't mean you mean you meet the governments C2 certification criteria.

In HP'ese, if you are Trusted and you employ all of the safeguards required by the government, the you're C2. Many of the requirements have to do with auditing and the like (things you get by being trusted, but not necessarily things you have to use when you are trusted). If your not DOD or DOE, you shouldn't have to worry about C2.

Given that, Trusted and Shadow are fairly similar. It's certainly possible to keep password sync'd between trusted/non-trusted system; it just might be a little harder. Just as there are password extraction capabilities for non-trusted systems, there are similar capabilities for trusted systems:
man getprpwent
man getpwent

You can use these capabilites to keep things in sync.

Usually if a vendor doesn't run on a trusted system, it's because they haven't taken the 10 minutes required to conditionally reference the trusted system library calls and link to a library :-(.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.