From: vinod kumar (vinodkumarmp@yahoo.com)
Date: Mon Feb 24 2003 - 20:19:41 EST
Thanks to ALL who responded to my email .
>From the Feedback I received ,
- It is safe to convert to Trusted system and back .
No major issues faced .
- There is a limit on password length ( 8 charecotrs
) after you convert to trusted system.
- It is ok to convert when applications are running.
But if any of them use direct passwd file entries etc
might have issues . These need to be taken care .
- have a sepearet telnet window with root . This is
helpful if something go wrong with root passwd during
convertion .
- Few people found auditing report was not much
useful as they expected and turned it off .
- Require Lot Disk space and cleaning
Below are the responce I received .
Thanks for the inputs
Vinod kumar
*************************
Enrico Nicolis
I have some problems in setting up usernames composed
of more than 8
characters.
I need these because of two reasons:
- samba access
the users (with usernames of more than 8
characters) already exist
in an
NT domain
- e-mail access
on HP-UX I have some users that read their e-mails
via web, having
the
SMTP server on another box - where the usernames are
of more than 8
chars.
Is it really impossible to create usernames of more
than 8 characters
under
HP-UX ?
I tried some times ago to create these by hand, since
this seems to be
impossible through sam. Moreover, there are some
procedures in sam
(like
creating a new user) that do a check on the /etc/group
file,
eliminating
all the hand-made usernames composed of more than 8
characters.
***********************
dave
First thing to do is the important thing of: run pwck
and grpck first
and
resolve any issues
Then there should be no hassles in conversion - or
reversion.
The only issue with going to trusted is that all
passwords on the
system
will be expired.
You should have no issues with doing it - *if* you
software is written
properly (ie it doesn't try to access /etc/passwd!)
**************
brett
Pretty simple, the /etc/passwd and /etc/shadow (if it
exists) are
converted
to files in another directory, changes to those will
no longer apply to
the
authentication system
No need to reboot and afaik you can convert back
***************
Vinod (Digital)
I have done this and it works without any problem past
18 months, I too
had the same doubts before enabling it, but it works
cool.
Convert it back is not at all a problem, but you it
would be required to
reset the users password
Note: Keep a Root Active before and after converting,
some times during
conversion, if you root password is not as per
standard it would disable
it, if you have kept it active you can reset it to
standard
************
V. T. Mueller
> We are planing to convert our hpux 11.11 system in
to
> trusted system ( basically to enable auditing ) .
Watch your diskspace. Auditing can *really* quickly
grow out of
bounds!
> I really appreciate if you can share your experience
> if you have done this before . One of my friend said
> there are issues if we convert to tursted system .
> Does it need a reboot when we do convert ? Any
impact
> on running applications ?
Depends. Have you applications running that
authenticate using
getpwent and friends? In trusted mode, there is
getprpwent (along
with bigcrypt instead of crypt) and a couple of other
minor
differences. So if you compiled ssh on your own you
may screw
it up. HP's ssh works around this.
We convert every system we get our hands on and never
had any
problems. One thing to care for, however, is password
aging.
Make sure is is disabled at least for root.
> Also as per the HP manuals , we can convert it back
to
> non trusted at any time any time . Has anybody tried
> this out .
Sure. You may issue tsconvert -r at any time. No
problem with this
except for the lousy security level.
***************
Adams, John
Yes, you can convert back and forth *almost* at will,
it doesn't affect
any applications, provided they're not actively
reading /etc/passwd.
(grin)
The biggest "gotcha" I can think of is that all
passwords are truncated
to 8 characters. Period. This is fine when you
convert because all
password entries are also truncated, but if you
convert back out, it's
a
problem.
Example - my username is jadams, my password is
Weekender. (it's not,
of course)
I convert to trusted systems, my password is now
Weekende. I can
still
log in typing Weekender because the final 'r' is
dropped.
I convert back to "normal", and my password stays
Weekende. Now,
Weekender doesn't match Weekende, so my login will
"fail".
I've also seen where some of the "shouldn't ever log
in" accounts (bin,
sys, uucp) end up with blank passwords. Not sure how
that happens, I
think it was a fluke, but it's something to check
after converting.
Overall, I've had more good experiences with Trusted
Systems than bad.
Unless your idea of adding users is "vi /etc/passwd",
you will too.
****************
Aynal
as per my knowledge if you convert your OS trusted
system NIS won't
work.
Regarding reboot don't require and again you m ay back
to non trusted
system
at any time.
**********************
Steve Illgen
We converted to trusted systems sometime ago on all of
our systems.
Here are
some things to consider:
1. It is not necessary to reboot. The procedure is
extremely simple and
can
be done "on the fly."
2. Before converting, make sure all of your passwords
are eight
characters
or less. I had to change some passwords after
converting in order to
login
(bug, perhaps?)
3. You can easily revert back to an untrusted system.
I had to do this
several times during testing and experienced no
problems. This can also
be
done "on the fly."
4. If you are going to use HP's auditing package, make
sure you limit
which
accounts and what needs to be audited. The files grow
very rapidly.
Personally, I have it turned off most of the time.
Frankly, the
information
is hard to interpret and there are other packages
which can monitor
system
usage which is much more "user friendly" than the
auditing package.
5. Once your trusted system is set up, make sure you
configure the
default
password aging policies (e.g. password expiration).
Once you do this,
configure password aging policies for "key" accounts
such as root. Keep
track of these configurations and let your users know
what they are.
Overall, I've been very pleased with the trusted
systems and don't
believe
you will have any problems with it either.
Bill Hassell
It is a completely trivial task and takes just a few
seconds
as it only affects the password file. The issues are
always
with poorly written software that expects to see a
stabdard
password file or tries to minipulate the password
file. A trusted
system simply moves the password field to a special
directory that no one except root can read. And it
adds more
than a dozen new controls over login and password
choices.
**************************
Ted F. Fisher
You can convert quickly and easily with no reboot and
no disruption of applications, etc. The only real
immediate impact is that new rules are implemented
immediately. Things like password aging are turned on
instantly. Since it starts the clock on aging it does
not (in theory) cause any immediate impact. I've seen
it occasionally get confused on a couple of users and
disable them because of aging. On HPUX 10.20 below a
certain patch level (can't remember which patch, but
it was way back) I had it disable a bunch of accounts.
If your system is fairly current with patching
though, it should not have any problems. I've done
many that were completely uneventful. Just be aware
that new things are turned on that could cause users
to get disabled for new reasons that you've not dealt
with before. It's a good idea to go into sam and
review the security policies. These can be set for
each user, but the default policies will usually apply
to most so make sure to check what these are and learn
what the do. As far as converting back afterward,
I've done it several times with no problems (I had an
issue with this one time, but it was on a pretty
messed up old 10.20 system).
*******************************
ryan green
We use trusted (tcb) mode on all our HP's. we have had
no problems,
except
with IBM DB2 application. IBM "doesn't support" DB2 in
HP trusted mode
yet,
but support is forthcoming.
It does NOT require a reboot to convert or unconvert.
It MAY require
all
users to change their passwords on the next login,
depending on how you
run
the conversion. I've never run the conversion with
applications running
so
I'm not able to comment on that.
Keep in mind there are several options available to
you in trusted
mode.
Review the options and decide which ones meet your
requirements/standards.
I'm not sure of the issues your friend mentions,
besides DB2, the only
other
thing we have found out in five years of running tcb,
HP does not and
will
not support tcb and LDAP on Unix. It's one or the
other
***************
Rita
Hmmm...I considered this, but rejected going to
trusted. So much
overhead for disk - who was going to watch and audit
the audit
files...and the fact that it is an all or nothing.
You audit
everybody,
or nobody.
I looked around and found some third party software
that met my needs
to audit...but on a when I want to audit and on who I
want to audit.
Basically a software I could selectively toggle on/off
whenever I
wanted.
For my environment this made a much better fit. I
finally went with
Symarks product called PowerBroker that I found at
HPWorld. It has
worked for us. But like I said there are others that
do similar
things.
************************
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:26 EDT