Labels

hpunix (63) marathi kavita (52) linux (21) solaris11 (11) AWS (5) numerology (5)

Friday, June 20, 2014

Basic difference between Trusted and Non-trusted System HPUX

 An HP-UX system is trusted if the file /tcb/files/auth/system/default is present. If that file is not present, then the system is not a trusted system.

The basic difference is:

Non-trusted - encrypted passwords are stored in the /etc/passwd file, which is world-readable.
              Potentially anyone could grab that file and run crack or some other password cracking utility against it.

Trusted - encrypted passwords are NOT stored in /etc/passwd. They are instead stored in files in the /tcb/files/auth/ directory structure which is only readable by root.

Other advantages are that you have more control over when passwords expire, you can disable accounts after X number of bad logins in a row, etc.

 I think it is definitely worth it to have the system be trusted.

----------------------
For command line:
To convert
# /usr/lbin/tsconvert
To unconvert
# /usr/lbin/tsconvert -r

---------------------------

Few Commands:

getprpw - get protected password database

/usr/lbin/getprpw - it displays protected password database for specific username

modprpw - modify protected password database

unlock / enable / reactivate:
/usr/lbin/modprpw -k

lock / expire password:
/usr/lbin/modprpw -e

Note:
-E This option is specified WITHOUT a user name to expire all user’s passwords. It goes through the
protected password database and zeroes the successful change time of all users. The result is all
users will need to enter a new password at their next login.
May be combined with the -l option.

-e This will expire specific username password

/usr/lbin/modprpw -k       (This re-activates accounts)

/usr/lbin/modprpw -v       (This resets age.)

Note:
-V This option is specified WITHOUT a user name to "validate/refresh" all user’s passwords. It goes
through the protected password database and sets the successful change time to the current time for
all users. The result is that all user’s password aging restarts at the current time. 

-v This "validate/refresh" the specified user’s password. It sets the successful change time to the current time. Can be combined with the -l and/or -m options.



Thanks...
Kiran Jadhav

**Let's Share our knowledge**


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)